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As  the  world  leader  in  Internet  security,  Check  Point’s™ 
integrated  security  solutions  Connect,  Protect,  Manage 
and  Accelerate  the  network  security  of  more  than  100 
million  users  worldwide. 


CONNECT.  Leading  global  companies  rely  on  Check  Point  VPN  solutions  to 
connect  employees  and  offices  everywhere.  Regardless  of  where  business 
happens  — even  in  the  most  remote  locations  — people  and  companies  are 
securely  connected  to  their  critical  information. 


PROTECT.  Check  Point’s  fail-safe  firewall  infrastructure  provides  the  highest 
level  of  security  for  every  network  from  the  edge  to  the  core.  Our  authentication, 
access  control,  and  content  security  features  have  become  the  trusted  global 
industry  standard. 


MANAGE.  Check  Point’s  revolutionary  Security  Management  Architecture 
(SMART™)  lets  you  instantly  deploy  and  distribute  security  policies  regardless  of 
user  location.  All  aspects  of  network  security  can  be  defined  and  managed  from 
a  single  console  dramatically  reducing  your  total  cost  of  ownership. 


ACCELERATE.  Check  Point’s  VPN  and  firewall  solutions  deliver  wire-speed 
performance  up  to  three  times  faster  than  other  network  solutions.  Now  you  can 
maintain  absolute  network  security  without  sacrificing  the  performance  of 
business-critical  applications  or  bogging  down  your  network. 

Check  Point 


Find  out  the  latest  in  Internet  security  by  downloading 
our  white  paper  “Building  Secure  Wireless  LANs”  at 
www.checkpoint.com/wireless/cso  or  call  (866)  488-6686. 


©2002  Check  Point  Software  Technologies  Ltd.  All  rights  reserved. 
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Protection  in  every  iocation. 
Managed  and  integrated 
from  one  iocation. 


Symantec  Security  Management  Console  ^  Symantec. 


Introducing  the  Symantec"  Security  Management  System. 

For  the  first  time,  security  data  from  multiple  locations, 
multiple  tiers  —  even  multiple  brands  of  information 
security  products  —  can  be  managed  with  a  single  system, 
at  a  single  console.  Which  means  that  enterprise-wide 
policy  compliance  is  finally  a  real  possibility.  It  also  means 
that  because  you’ve  simplified  your  environment,  you  can 
reduce  your  operating  costs.  And,  most  importantly,  you 
can  now  be  more  responsive  to  new  and  emerging  threats, 
eliminating  them  before  they  do  damage.  It's  part  of  a 
revolution  In  Information  security  a  revolution  that  offers 
better  protection,  efficient  management  and  ensured  business 
continuity  for  your  entire  enterprise.  For  our  latest  White 
Paper,  “Managing  Security  Incidents  In  the  Enterprise!’  visit 
http://ses.symantec.com/USA659A8yE  or  call  800-/45-6054. 


Symantec, 
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'  “This  is  people’s  livelihood 
that  i'm  protecting.  It’s  their 
'  ability  to  send  their  children 
.to  college,  to^  pay  for  their 
daughters’  weddings.  It’s  a 
v|ery  big  deal.” 

-SHARON  O'BRYAN,  clsO  AT  ABN  AMRO 
!  PAGE  46 
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28  Smackdown! 

HEAD-TO-HEAD  Two  former  colleagues  square  off  to 
debate  the  division  of  roles  and  responsibilities  of 
security  leaders. 

34  COVER  STORY  Watch  This  Way 

EMPLOYEE  MONITORING  What  you  don’t  know  about 
how  your  employees  are  using  company  resources  can 
hurt  you.  But  remember  this:  There  are  acceptable— 
and  not  so  acceptable— ways  to  monitor  employee 
activity.  By  Daintry  Duffy 

40  Tying  the  Knot 

MANAGED  SERVICES  Service-level  agreements  are  at 
the  heart  of  most  managed  information  security 
contracts.  But  they  don’t  guarantee  that  buyer  and 
seller  are  pulling  in  the  same  direction. 

By  Malcolm  Wheatley 

46  Called  to  Account 

THE  CSO  ROLE  Some  security  executives  see  protecting 
their  company’s  assets  as  a  way  to  earn  a  living.  ABN 
Amro’s  Sharon  0’Br>'an  sees  it  as  her  mission. 

By  Simone  Kaplan 
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22  Defending  Your  Budget 

SECURITY  COUNSEL  Aon  CISO  Tina  LaCroix  answers 
readers’  questions  on  how  to  sell  security  in  the 
boardroom. 

24  Free  Parking 

FLASHPOINT  New  legislation  gives  security  the  power 
*  to  trump  customer  privacy.  By  David  H.  Holtzman 

56  A  Sordid  Tale 

CSO  UNDERCOVER  One  anonymous  CSO’s  account 
of  the  dark  side  of  security  that  goes  beyond  hackers 
and  thieves. 


DEPARTMENTS 

13  Briefing 

Hackers  with  a  cause;  Brother,  can  you  spare  some 
privacy?;  Go  virtual,  young  man;  Faster  than  a 
speeding  megabit. 

20  Wonk 

To  promote  public  safety,  the  U.S.  government  has 
agreed  to  protect  companies  that  create  antiterrorism 
technologies.  But  only  to  a  point.  By  Julie  Hanson 

53  Machine  Shop 

Is  there  a  white  knight  solution  to  spam? 

By  Simson  Garfinkel 

TOOLBOX:  Real-time  security  monitoring  dashboard; 
Gunshot-locating  technology. 
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Lessons  from  the  silver  screen. 
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Provisioning  giving  you  a  headache? 


With  CONTROL-SA,  provisioning  is  no  longer  a  daunting  task.  It’s  secure,  cost-effective,  and  provides 
you  with  complete  control  over  your  IT  infrastructure  and  business  resources. 

Serving  as  the  foundation  for  secure  identity  management,  CONTROL-SA  enables  your  organization 
to  meet  today’s  business  challenges  and  benefit  from  a  rapid  return  on  investment.  Administration  is  streamlined. 
Access  is  granted  and  revoked  in  minutes  -  not  days.  Passwords  and  user  IDs  are  managed  effectively. 

And  your  organization  is  one  step  closer  to  full  compliance  with  privacy  regulations. 

CONTROL-SA,  the  pioneering  provisioning  solution  with  the  most  customers  and  the 
longest  deployment  history,  now  provides  enhanced  Identity  Management  capabilities: 

•  Easy  administration  via  a  Web-based  Security  Console 

•  Fast  deployment  and  rapid  ROI  using  the  XpressAgent  methodology 

•  Open  architecture  facilitating  integration  with  current  IT  implementations 

•  Unmatched  scalability  to  serve  large  global  enterprises 

•  Virtual  Directory  capabilities  to  benefit  from  LDAP  convenience  and  connectivity 

For  more  information,  call  800-865-4262  or  visit  www.bmc.coml securitylprovisioning 


BMC  Software,  the  BMC  Software  logos  and  all  other  BMC  Software  product  or  service  names  are  registered  trademarks  or  trademarks  of  BMC  Software,  Inc, 
All  other  trademarks  or  registered  trademarks  belong  to  their  respective  companies,  ©2003  BMC  Software,  Inc.  All  rights  resen/ed. 


RELIEVE  THE 
PROVISIONING  PAINS 
WITH  CONTROL-SA® 
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Security  Counsel 

This  month,  Lloyd  Gauntlett 
Hession,  CSO  of  Radianz,  will  be 
available  online  to  answer  your 
questions  about  risk.  Visit  SECU¬ 
RITY  COUNSEL  to  post  a  ques¬ 
tion  or  to  read  past  expert  advice 
on  HIPAA,  financial  services, 
physical  security  and  budgets. 
www.csoonline.com/counsel 


CSO  Research 

Go  online  and  read  exclusive  research 
reports  written  by  Research  Editor  Lor¬ 
raine  Cosgrove  Ware.  Recent  topics  include 
budgeting,  disaster  recovery  and  our  latest 
report  “Confidence  in  IT  Security  Growing.” 
www.csoonline.com/csoresearch 


News  You  Can  Use 

We  scour  the  Web  each  weekday  for  the 
security  headlines  and  stories  you’ll  want  to 
read,  and  we  condense  them  so  that  you  get 
up  to  speed  fast.  You  can  also  dig  deeper  by 
clicking  on  a  link  to  the  full  text  of  each 
article,  www.csoonline.com/news 


Career  Resources 

Jump-start  or  advance  your  career  with 
postings  in  our  JOB  CENTER  and  the  list¬ 
ings  in  our  EVENT  CALENDAR.  Need 
advice,  ask  our  CAREER  EXPERT,  Joyce 
Brocaglia.  Want  to  know  who  is  where? 
Read  MOVERS  &  SHAKERS. 
www.csoonline.com/career 


Free  Newsletters 


Only  Online 

Check  out  the  fresh  content 
on  CSOonline  every  weekday. 
Here’s  a  rundown  of  what 
you’ll  find: 


MONDAY 

TALK  BACK  Is  our  govern¬ 
ment  prepared  for  a  major 
cyberattack?  Visit  each  week  to  share  your 
opinions  on  this  and  other  controversial 
security  topics. 
www.csoonline.com/talkback 


TUESDAY 

SECURITY  CHECK  Quick  and  easy.  Vote 
in  our  weekly  security  poll.  You  can  also 
check  the  results  of  previous  polls  such  as 
“Have  you  used  the  ISO  17799  information 
security  standard?”  More  than  half  (54  per¬ 
cent)  of  respondents  answered  yes  but  said 
they  used  the  standard  only  as  a  starting 
point  for  security  management. 
www.csoonline.com/poll 


WEDNESDAY 

ANALYST  REPORTS  We’ve  gathered 
research  and  analysis  from  respected 
sources  and  put  it  in  one  convenient  pack¬ 
age.  Read  what  the  analyst  community 
thinks  will  be  in  store  for  2003. 
www.csoonline.com/analyst 


THURSDAY 

METRICS  Did  you  know  more  than  7,000 
computer  viruses  were  reported  in  2002? 
Visit  each  week  for  the  suiweys  and  statis¬ 
tics  that  matter  for  security  professionals. 

www.csoonline.com/metrics 


.  ^ 


We’ll  bring  CSO  right  to  your  inbox  every 
month— for  free.  CSO  UPDATE  highlights  the 
most  recent  content  posted  on  CSOonline. 
CSO  WANTED  UPDATE  alerts  you  to  the 
latest  security-related  job  openings  in  our 
database.  It  takes  only  a  few  seconds  to 
subscribe,  www.csoonline.com/newsletters 


FRIDAY 

POLITICS  &  POLICY  The  108th  Congress 
is  now  in  session.  Find  out  what’s  on  the 
agenda  and  how  new  laws  and  regulations 
will  affect  your  business. 

www.csoonline.com/politics 
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of  chaos 


Find  confidence  in 


the  midst 


Focus  on  the  best  in  network 


security,  every  step  of  the  way 


start  with  a  secure  foundation. 

Our  operating  system,  IPSO,  is  built  from  the  ground  up  for  security. 
It  eliminates  many  vulnerabilities  common  to  general-purpose 
servers,  and  also  incorporates  our  patented  IP  Clustering  technology. 
Multiple  Nokia  security  appliances  can  be  linked  as  one,  on  the  fly, 
for  new  levels  of  performance,  reliability  and  scalability. 


Integrate  the  best  in  network  security  expertise. 

Partners  like  Check  Point  Software  Technologies,  Internet  Security 
Systems  and  F5  help  us  deliver  the  full  capabilities  of  their  VPN 
firewall,  intrusion  protection,  and  Internet  traffic  management 
applications.  To  learn  about  the  other  ways  we  give  our  customers 
greater  peace  of  mind,  just  visit  www.nokia.com/ipsecurity/na 


NOKIA 


Connecting  People 


r  j  M 

I 

©  Nokia  Inc  2002  All  nghts  reserved  Nokia  and  Nokia  Connecting  People  are 
registered  trademarks  of  the  Nokia  Corporation.  Other  produa  and  company  names 
mentioned  herein  may  be  trademarks  or  trade  names  of  their  respecbve  owners 


Affinity  Programs 


Judging  from  the  results  of  a  survey  CSO  eondueted  late 
last  fall,  a  high  percentage  of  respondents  (from  among 
nearly  800  CSOs  and  other  top  security  executives)  may 


feel  more  of  an  allegiance  to  their  former  colleagues  in  law  enforcement  than 
they  do  to  their  enterprise’s  customers.  In  answer  to  our  questions  about  their 
willingness  to  rat  out  various  stakeholders  and  under  what  conditions,  24  per¬ 
cent  of  respondents  said  they  would  give  up  information  about  customers  to 
government  or  law  enforcement  agencies  without  a  court  order.  When  it  came 
to  their  trading  partners  and  employees,  the  percentages  were  23  and  37, 
respectively  (or  disrespectively,  in  the  case  of  the  poor  benighted  employees). 

Upping  the  ante  somewhat,  we  asked  roughly  the  same  question  in  the  con¬ 
text  of  a  national  security  investigation;  in  that  case,  the  segment  willing  to  give 
up  customer  information  without  a  warrant  rose  to  41  percent  (versus  43  per¬ 
cent  who  would  surrender  such  data  only  under  court  order  or  subpoena). 

To  me,  this  says  something  about  the  strength  of  professional  affinity.  In 
many  cases,  CSOs  come  from  law  enforcement  backgrounds.  They  trust  police 
and  government  agencies  to  operate  in  good  faith  and  to  do  the  right  thing. 
Sometimes  the  people  who  come  knocking  for  information  are  old  friends 
whose  ties  go  back  a  long  way.  One  prominent  CSO  told  me  he  is  frequently 
called  by  former  police  colleagues  tiying  to  locate  people  on  outstanding  crimi¬ 
nal  warrants.  On  request,  he  would  search  his  company’s  customer  records  and, 
if  any  matches  were  found,  provide  the  subjects’  address  information  to  police. 

We  live  in  a  world  in  which  most  people  don’t  have  guilty  consciences  (even 
those  who  ought  to).  In  the  \iew  of  a  self-described  average  citizen,  those  who 
have  “nothing  to  hide”  should  never  object  to  invasions  of  their  privacy.  By  that 
rationale,  privacy  is  itself  a  presumptively  suspect  condition,  making  those  who 
would  insist  upon  it  appear  to  be  guilty  of  something.  Dan  Geer,  the  CTO  of 
security  consultancy  @Stake,  has  opined  that  privacy  is  a  generational  thing 


and  that  the  expectation  of  having  any  is  being  gradu¬ 
ally  bred  out  of  the  populace  (this  is  of  course  less  true 
in  Europe,  which  continues  to  exalt  privacy).  Some 
of  us  of  a  certain  age  are  outraged  by  practices  that 
younger  citizens  may  take  for  granted.  My  mother,  for 
example,  reacted  with  horror  to  surveillance  video  of  a 
woman  beating  her  child  in  a  mall  parking  lot.  Her 
horror,  however,  was  triggered  more  by  the  very  exis¬ 
tence  of  the  video  than  by  the  behavior  of  the  woman. 

But  when  it  comes  to  customers,  CSOs  entreated  by 
police  or  government  agencies  to  divulge  customer 
information  should  at  least  feel  the  twinge  of  divided 
loyalties.  They  need  to  ask  themselves  what,  if  any,  duty 
they  may  have  to  protect  the  information  they  get  from 
customers.  Must  the  privacy  of  customer  information 
always  take  a  backseat  to  requests  from  law  enforce¬ 
ment?  Should  such  requests  be  governed  by  probable 
cause  limitations  applied  by  courts?  At  a  minimum, 
should  customers  be  fully  informed  as  to  the  circum¬ 
stances  under  which  a  company  will  provide  informa¬ 
tion  to  police? 

Clearly,  an  important  debate  is  needed  now  about 
privacy  in  the  context  of  national  security.  CSOs  should 
stop  to  consider  where  their  loyalties  lie  and  whether 
customers  would  agree  that  those  loyalties  are  in  the 
right  place.  For  more  on  CSO’s  related  surv'ey,  visit 
www.csoonline.co7n/csoresearch/report49-html. 

-Leiv  McCreary 
mccrea  ry  @  cxo  .corn 


8  www.csoonline.com  February  2003 


PHOTO  BY  WEBB  CHAPPELL 


CCTP  would  have  made  his  life  much 

Introducing 

OCCTP" 

video  surveillance  for  the  digital  age 

Want  to  know  more? 

Simply  go  to  anixter.com/CCTP 

or  call  1-800-ANIXTER. 


easier  CCTP,  engineered  by  Anixter,  is: 

•  The  only  open  architecture,  standards-based, 
structured  video  surveillance  solution 

•  30%  less  expensive  than  traditional 
CCTV  systems 

•  Video,  Power  and  Control  over  one  optimized 
UTP  cable 

•  Able  to  handle  existing  analog  technology 

•  Ready  for  the  IP  surveillance  future 

CCTP  products  exclusively  manufactured  for  Anixter  by  Belden  and  Siemon. 


csoletters@cxo.  com 


Of  Wonks  and  Minions 

We’re  still  opening  all  the  mail 
we  received  for  “The  Best 
Defense  Is  a  Firing  Offense” 

[December  2002].  This  column 
told  the  story  of  a  CSO  at  odds  with 
his  IT  director.  The  topic  is  volatile, 
and  readers  let  us  know. 

I  READ  YOUR  COLUMN  WITH  A 

mixture  of  laughter  and  contempt.  For 
those  of  us  who  have  been  there  on  the 
technical  ramparts,  the  executives  fre¬ 
quently  sound  like  blockheads.  For  the 
executives,  too,  the  wonks  we  tolerate  are 
always  telling  us  the  sky  is  falling.  In  the 
real  world,  customer  requirements  are  fre¬ 
quently  gibberish  driven  by  little  more  than 
the  feeling  a  vice  president  gets  after  read¬ 
ing  an  airline  magazine.  And  wonks  being 
wonks,  they  love  their  tools  and  are  loathe 
to  permit  someone  to  tell  them  they  have 
an  ugly  baby.  Fair  enough. 

But  in  your  piece,  you  had  an  executive 
who  didn’t  serve  a  purpose.  The  CSO 
looked  like  an  order  taker  who  neither 
investigated  his  higher-up’s  request  nor 
questioned  it.  If  the  top  security  boss  really 
doesn’t  know  security  or  technology,  he  is 
useless  to  begin  with.  The  technical  ranks 
know  this  and  respect  the  boss  accordingly. 

This  is  not  to  say  the  technical  guy  was 
right  to  draw  a  line  in  the  sand  since  any 
sane  person  doesn’t  mess  with  a  powerful, 
insecure  boss.  His  response  should  have 
been  to  demand  some  kind  of  risk  accept¬ 
ance  and  a  remediation  plan  to  move  for¬ 
ward.  That  way  he’s  not  on  the  hook,  and 
the  project  sponsor  understands  what  they 
are  really  asking  for. 

The  end  result  is  that  the  CSO  has 
maneuvered  his  own  minions  into  never 
telling  him  the  truth. 

STEPHEN  RIFKIN 

Technical  Architect,  World  Wide  Security 

IBM  Globed  Seix' ices 

Research  Triangle  Park,  N.C. 


VERY  INTERest- 
ing  column.  I  agree  that 
the  “Technology  Guy”  was  wrong 
in  the  end,  but  so  too  was  the  CSO. 

I  do  think  the  CSO  knew  that  in  sending 
the  e-mail  to  Technology  Guy  he  would 
upset  him.  The  CSO  should  have  involved 
the  Technology  Guy  in  the  solution.  No 
doubt  Technology  Guy  will  be  in  a  huff,  but 
at  least  all  the  cards  are  on  the  table. 

The  other  problem  was  that  the  CSO 
stepped  on  Technology  Guy’s  toes  when  the 
CSO  orchestrated  the  demo.  I  don’t  see 
anything  wrong  with  the  CSO  contacting 
other  execs,  but  after  finding  the  solution, 
the  CSO  should  have  discussed  it  with 
Technology  Guy. 

ANONYMOUS 

Secure  Sharing 

We  thought  our  article  on  information  shar¬ 
ing  [“Safety  in  Numbers,”  November  2002] 
supplied  a  host  of  venues  where  CSOs  could 
connect  with  peers.  At  least  one  reader  had 
another  suggestion. 

I  ENJOYED  YOUR  ARTICLE  ON  INFORMA- 

tion  sharing.  However,  it  was  targeted  at 

We  want  to  hear  from  you. 

E-mail  criticism,  thoughts  and  suggestions  to 
csoletters@cxo.com.  You  can  read  the  stories 
mentioned  in  these  letters  at  www.csoonline.com/ 
read/index. html. 


sharing  in  the  major  market  areas  such  as 
New  York  City  and  Washington,  D.C. 

While  those  areas  are  definitely  critical,  the 
sharing  of  information  in  places  away  from 
those  major  markets  provides  some  unique 
challenges. 

I  fully  support  the  activities  of  the 
Information  Sharing  and  Analysis 
Centers,  InfraGard  and  the  Infor¬ 
mation  Systems  Security  Associ¬ 
ation  as  vehicles  to  facilitate 
information  sharing  among 
CSOs.  However,  their 
meetings  attract  the 
same  attendees,  and 
they  never  seem  to 
expand  security  awareness  into 
all  sectors.  In  the  Internet-connected 
age,  it  is  critical  that  all  firms  and  agencies 
have  a  good  basic  understanding  of  infor¬ 
mation  security  principles  and  practices. 

In  the  Tampa  area,  we  brought  together 
a  CyberSecurity  Summit  meeting  in  Janu¬ 
ary  which  was  jointly  sponsored  by  Ray¬ 
mond  James  Financial,  St.  Petersburg 
College  and  the  FBI.  We  enlisted  speakers 
from  the  government,  academia  and  pri¬ 
vate  industry  for  presentations  and  panel 
discussions.  Invitations  were  sent  to  select 
law  enforcement,  military,  government  and 
private-sector  senior  management. 

Our  goal  is  to  raise  the  awareness  across 
all  industry  sectors  in  the  Southeast  and 
hopefully  provide  initiatives  to  firms  that 
have  not  yet  gotten  serious  about  informa¬ 
tion  security. 

GENE  FREDRIKSEN 

Vice  President,  Information  Security 
Raymond  James  &  Associates 

The  Truth  Is  in  the  Honey 

Our  September  2002  Undercover  column, 
“Double-Edged  Success,”  dealt  with  the 
irony  facing  most  CSOs:  Screw  up,  and  you’ll 
be  called  to  task.  Do  your  job  too  well,  and 
no  one  will  realize  how  important  you  are. 
This  reader  claims  the  solution  is  in  the  tech¬ 
nology.  Do  you  agree? 

I  HAVE  A  RELATIVELY  EASY  SOLUTION 

for  your  dilemma  in  a  “Double-Edged 
Success”— get  a  honejpot.  Using  this  secu¬ 
rity  technology,  you  will  always  be  able 
to  show  that  you  get  compromised  if  no 
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security  investments  are  made.  In  a  way, 
the  honeypot  will  provide  you  with  a  “crisis 
in  a  box.”  It  can  be  shown  to  execs  but  will 
not  hurt  the  company’s  security.  Just  add 
the  penetration  statistics  from  this  honey- 
pot  to  your  budget  request.  You  will  stay 
ethical  and  will  show  higher  attack  and 
threat  count. 

ANTON  CHUVAKIN 

Senior  Security  Analyst 

NetForeiisics 

anton@chuvakm.org 

What  Will  It  Cost  Me? 

We  took  on  the  challenge  of  calculating  secu¬ 
rity  ROI  in  our  December  article,  “Calculated 
Risk,”  but  perhaps  we  didn’t  go  far  enough. 
It’s  important,  and  we’ll  revisit  it.  Often. 

YOUR  ARTICLE  “CALCULATED  RISK” 

was  a  good  first  step  in  discussing  security 
ROI,  but  more  is  needed.  I  see  security 
ROI  as  the  means  to  understand  costs  both 
internally  (within  the  project  and  enter¬ 
prise)  and  externally  (within  the  industry 
sector  and,  more  broadly,  the  national 
interest).  The  costs  considered  are  those 
associated  with  achieving  survivability, 
performing  cleanup  following  an  intrusion, 
realizing  lost  opportunity  costs  because  of 
an  intrusion  and  critical  infrastructure 
impacts.  Alternative  methods  to  compute 
security  ROI  are  needed  to  answer  ques¬ 


tions  important  to  the  security  investment 
decision. 

The  availability  of  a  common  industry 
security  ROI  methodology  would  deliver 
numerous  benefits: 

1.  We’d  better  understand  the  contribu¬ 
tors  to  security  readiness,  the  costs  to 
achieve  security  readiness  and  the  costs  to 
recover  from  cyberspace  incidents. 

2.  The  enterprise  can  reason  about  its 
security  investments  with  precision. 

3.  The  public-private  collaboration  that 
will  determine  responsibility  for  paying  for 
security  can  be  better  informed. 

4.  The  relationship  between  levels  of 
security  readiness  and  recovery  costs  can 
contribute  to  the  actuarial  basis  for  under¬ 
writing  cyberspace  insurance. 

5.  The  state  of  security  readiness  for  the 
nation’s  critical  infrastructure  dependency 
on  software  can  be  better  assessed. 

The  cost  burden  for  cleanup  impact  falls 
on  the  project,  lost  opportunity  impact  falls 
on  the  enterprise,  and  the  cost  burden  for 
critical  infrastructure  impact  falls  on  the 
government,  perhaps  through  insurance 
mechanisms.  Once  the  cost  ownership 
responsibilities  are  clearly  accepted,  real 
progress  on  security  can  be  made. 

DON  O’NEILL 

Executive  Vice  President 

Center  for  National  Softioare  Studies 

Montgomery  Village,  Md. 
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ABOUT  IDG  International  Data  Group  (IDG),  the  leading 
global  provider  of  IT  media,  research,  conferences  and 
events,  informs  more  people  about  technology  than  any 
other  company  in  the  world.  Offering  the  widest  range 
of  media  options,  IDG  reaches  more  than  120  million 
technology  buyers  in  85  countries  representing  95  per¬ 
cent  of  worldwide  IT  spending.  IDG  publishes  more 
than  300  newspapers  and  magazines  in  85  countries, 
led  by  the  Computerworld,  Infoworld,  Macworld,  Net¬ 
work  World.  PC  World  and  CIO  global  product  lines.  IDG 
offers  online  users  the  largest  network  of  technology- 
specific  sites  around  the  world  through  IDG, net 
(www.idg.net),  a  gateway  to  IDG's  330  websites  pow¬ 
ered  by  more  than  2,000  journalists  reporting  from 
every  continent  in  the  world.  IDG  also  produces  168 
technology-related  conferences  and  events,  and 
research  company  IDC  provides  global  market  intelli¬ 
gence,  analysis  and  forecasts  in  43  countries. 
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GEORGE  CAMPBELL,  THE  FORMER  CSO  OF  FIDELITY 

(SEE  “SMACKDOWN!”  PAGE  28) 
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CERTIFIED  INFORMATION 
SECURITY  MANAGER™ 


and  find  out  how  to  be  a  part  of  a  winning  combination. 


a  WINNING  COMBINATION 


and 


CISM 


m 


1^? 


Some  combinations  are  just  natural  winners.  Like  the  combination  of  your  security 
management  experience  and  ISACA®’s  new  information  security  certification,  CISM™. 


CISM  (Certified  Information  Security  Manager™)  is  a  groundbreaking  credential  specifically 
designed  for  information  security  managers.  It  is  intended  for  those  who  must  maintain  a  big-picture 
outlook  by  directing,  crafting  and  overseeing  an  organization's  information  security.  This  new  cre¬ 
dential  is  brought  to  you  by  Information  Systems  Audit  and  Control  Association®,  the  organization 
that  has  administered  the  world’s  most  prestigious  IS  audit  credential  for  25  years. 


A  "grandfathering”  process  is  open  to  qualified  individuals  for  a  limited  time 


YOU 


News,  Stats  and  Fast  Facts 

Edited  by  Kathleen  Carr  and  Daintry  Duffy 


HACKTIVISMO 
is  fighting  oppression 
with  licensing  terms 
that  some  deem  to 
be  oppressive. 


Hackers 
with  a  Cause 


OPEN  SOURCE  A  hacker  group  called 
Hacktivismo  has  created  HESSLA,  an 
open-source  license  with  ambition.  What 
kind  of  ambition?  Well,  fighting  eroding 
privacy  standards,  for  one.  And,  if  that's 
not  enough,  how  about  fighting  for 
human  rights? 

HESSLA  stands  for  the  Hacktivismo 
Enhanced-Source  Software  License  Agreement. 

It  borrows  heavily  from  the  GNU  General  Public 
License  (GPL),  the  most  prevalent  open-source  license. 

Under  GPL,  any  changes  you  make  to  freely  available  source 
code  must  be  published  if  you  intend  to  sell  an  application 
based  on  the  modified  source  code. 

The  same  holds  true  with  HESSLA.  But  software  licensed  under 
HESSLA  is  also  barred  from  use  by  governments  that  violate 
human  rights.  HESSLA  contains  language  that  would,  ostensibly, 
let  licensees  take  human  rights  violators  to  court  because 
use  of  the  license  constitutes  a  waiver  of  sovereign  immunity. 

“In  other  words,  if  Myanmar  or  China  want  to  keep  violating 

_  human  rights,  then  they  have  no  choice  but  to  steer 

clear  from  using  Hacktivismo’s  software  in  connec¬ 
tion  with  any  of  their  wrongful  projects,"  notes  a 
Hacktivismo  news  release.  "If  not,  then  this  software 
license  just  may  be  the  victims'  long-needed  ticket 
into  court;  their  pathway  over  the  obstacle  to  justice 
previously  presented  by  sovereign  immunity.” 

HESSLA  also  prohibits  (and  makes  legally  actionable)  the 
use  of  the  software  for  “monitoring  of  individuals,"  and  prohibits 
changes  to  its  software  that  involve  “spyware,  surveillance 
technology  or  other  undesirable  code.” 

This  is  rather  broad  language.  “Monitoring  of  individuals”  could 
mean  anything  from  spying  to  spam  filtering.  And  “other  undesir¬ 
able  code”  is  so  vague  it's  impracticable. 

The  Free  Software  Foundation  (FSF),  crafters  of  the  GPL,  is 
against  the  license.  FSF  suggests  that  while  the  restriction  might 
seem  like  a  good  idea  because  it  targets  reprehensible  behaviors. 


it's  still  restriction. 

“[HESSLA]  is  not  a  free 
software  license,”  an  FSF 
policy  brief  at  Gnu.org  states. 
"The  ironic  result  is  that  the 
community  of  people  most 
likely  to  feel  sympathy  for 
the  goals  of  the  HESSLA  can¬ 
not  contribute  to  HESSLA- 
covered  software  without 
violating  its  principles.”  In 
other  words,  Hacktivismo 
is  fighting  oppression  with 
licensing  terms  that  are 
deemed  by  some  as,  well, 
oppressive. 

FSF  also  suggests  that,  under  U.S.  Law, 
a  license  like  this  can't  restrict  usage  of  the  program,  and  it  would 
be  as  hard  to  enforce  as  pulling  over  everyone  who  speeds  on 
the  highway  every  day. 

Still,  HESSLA  has  people  talking.  With  programs  in  the  govern¬ 
ment  like  the  notorious  Total  Information  Awareness  project,  and 
other  privacy-eroding  concepts  like  covert  monitoring  of  Web 
surfing  at  libraries,  some  argue  HESSLA  at  least  gets  people 
thinking  about  the  state  of  privacy.  -Scott  Berinato 


SECURITY  BLANKET 


Are  you  secure?  Survey  says: 


No 


Almost  of 

employees  think  current  physical 
security  measures  are  not 
adequate  to  prevent  unauthorized 


access. 


SOURCE:  ‘ENTERPRISE  SECURITY  TRENDS."  GARTNER.  AUGUST  2002 


ILLUSTRATIONS  BY  JOHN  UELAND 
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Follow-Up  on  FOIA 

LEGISLATION  For  years,  cor¬ 
porate  executives  were  clamoring  for 
an  exemption  to.the  Freedom  of  Infor¬ 
mation  Act  (FOIA)  to  reassure  them 
that  information  they  shared  with  the 
federal  government  about  critical 
infrastructure  protection  stayed  with 
the  federal  government.  (See  “Every¬ 
thing  You  Ever  Wanted  to  Know  About 
FOIA,”  November  2002.)  On  Nov.  25, 
when  President  Bush  signed  legislation 
creating  the  Department  of  Homeland 
Security,  they  got  their  wish. 

A  small  section  of  the  new  law  pro¬ 
tects  voluntarily  submitted  informa¬ 
tion  regarding  “the  security  of  critical 
infrastructure  and  protected  systems, 
analysis,  warning,  interdependency 
study,  recovery,  reconstitution  or 
other  informational  purpose”  from 
public  requests  submitted  under  FOIA. 
More  controversially,  it  also  stipulates 
that  the  department  not  use  the  infor¬ 
mation  in  any  civil  action  without  the 
written  consent  of  the  entity  that  sub¬ 
mitted  the  information. 

“I  know  there  have  been  some  con¬ 
cerns  about  it  going  too  far,  but  I  don’t 
view  it  that  way,”  says  Bruce  Bonsall, 
CISO  of  MassMutual.  Although  it’s  too 
soon  for  the  law  to  have  had  any 
impact  just  yet,  he  says  that  eventu¬ 
ally,  “it’ll  make  the  private  sector  that 
much  more  comfortable  in  sharing 
information  about  threats  and  vulner¬ 
abilities  with  the  government,  and  we 
absolutely  need  to  do  that  to  protect 
the  critical  infrastructure.” 

If  companies  do  decide  to  share 
information,  they’ll  have  to  label  it 
carefully.  For  protection,  the  person 
or  entity  submitting  the  information 
must  provide  written  notice  stating, 
“This  information  is  voluntarily  sub¬ 
mitted  to  the  federal  government  in 
expectation  of  protection  from  disclo¬ 
sure  as  provided  by  the  Critical  Infra¬ 
structure  Information  Act  of  2002.” 

-Sarah  D.  Scalet 


-COL.  THADDEUS  DMUCHOWSKI,  DIRECTOR  OF  THE  ARMY’S  INFORMATION 
OPERATIONS  ASSURANCE  OFFICE,  SPEAKING  AT  A  CONFERENCE  OF  THE  NATIONAL 
HIGH  PERFORMANCE  COMPUTING  &  COMMUNICATIONS  COUNCIL 


Brother;  Can  You 
Spare  Some 
Privacy? 

CUSTOMER  DATA  Companies  that 
wish  to  display  the  TRUSTe  seal  on  their 
website  will  have  to  demonstrate  a  higher 
level  of  privacy  protection  for  customer  data. 
TRUSTe  is  an  organization  composed  of 
online  privacy  advocates  and  companies, 
including  AOL  Time  Warner,  Intuit  and 
Microsoft.  Its  global  privacy  certification 
program  allows  companies  that  are  in  accor¬ 
dance  \vith  the  group’s  consumer  protection 
policies  to  display  the  TRUSTe  seal. 

However,  although  the  new  requirements 
are  an  improvement  on  previous  certifica¬ 
tion  guidelines,  Chris  Hoofnagle,  legislative 
counsel  at  the  Electronic  Privacy  Informa¬ 
tion  Center,  counters  that  TRUSTe  and  its 
member  companies  are  really  just  playing- 
catch-up  to  recent  Federal  Trade  Commis¬ 


sion  rulings. 

Recently,  the  FTC  has  taken  action 
against  Microsoft  for  misrepresenting 
aspects  of  its  Passport  service,  Eli  Lilly  for 
lax  security  practices  that  compromised 
consumer  data,  and  American  Student 
List  for  improperly  selling  information 
collected  from  high  school  students. 
According  to  Hoofnagle,  all  those 
motions  have  raised  the  bar  on  con¬ 
sumer  online  privacy  protections. 

Those  rulings,  more  than  TRUSTe’s 
guidelines  or  those  of  other  seal  organi¬ 
zations,  create  what  Hoofnagle  calls  a 
“common  law  of  privacy”  on  which  future 
enforcement  actions  can  be  taken  by 
organizations  like  the  FTC. 

Less  clear  is  where  CSOs  should  look 
for  reliable  information  on  best  practices  to 
protect  customer  and  employee  data  col¬ 
lected  on  their  own  websites. 

Hoofnagle  recommends  that  CSOs  look 
to  the  Organisation  for  Economic  Co-opera¬ 
tion  and  Development’s  privacy  guidelines 
and  statements  about  fair  information  prac¬ 
tices.  Canada’s  online  consumer  protection 
laws  could  also  serve  as  a  good  guide.  Both 
are  strong  and  comprehensive. 

While  the  FTC  says  it  supports  the  work 
of  seal  programs  like  TRUSTe,  it  doesn’t 
specifically  endorse  any  particular  program. 

“The  FTC  hasn’t  taken  a  position  on  the 
specific  policies  of  an  organization.  We  do 
not  comment  on  the  specifics  of  seal  pro¬ 
grams,”  says  Toby  Levin,  an  FTC  attorney. 

However,  CSOs  that  abide  by  the  precepts 
of  a  seal  program  are  likely  to  stay  in  good 
stead  on  the  privacy  front,  as  Levin  acknowl¬ 
edges  that  the  certification  requirements  of 
programs  like  TRUSTe  often  exceed  what  is 
required  by  law.  -Paul  Roberts 
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USiNESS  TRIVIA  QUESTION 


Number  28 


Which  company  handles 

over  7  billion  network  connections 

per  day? 


□  (a)  VeriSign 

□  (b)  VeriSign 

□  (c)  VeriSign 

□  (d)  All  of  the  above 


Surprised?  Perhaps  you  also  didn't  know  that  VeriSign  processes  over  3.7  billion  dollars  worth  of  secure  transactions 
per  quarter.  Truth  is, VeriSign  has  spent  the  last  seven  years  building  a  secure  infrastructure  for  the  Internet.  We'd  like 
to  do  the  same  for  your  business.  VeriSign  can  help  you  deploy  a  trusted  infrastructure  so  you  can  conduct  secure 
communications  and  transactions.  So  your  business  can  start  making  a  few  billion  transactions,  too.  ^ 

Learn  all  you  need  to  know  about  infrastructure  security  -  and  how  VeriSign' s  managed  network  and  security  solutions 

can  help  you  -  by  downloading  our  new  white  paper:  Cyber  Security  in  the  Age  of  Action.  Visit  www.verisign.com/security  The  value  of  Trusr 


■  PAYMENT  SERVICES  ■  TELECOMMUNICATION  SERVICES  M 
■  NETWORK  AND  SECURITY  SERVICES  ■  WEB  IDENTITY  SERVICES  H 

©  2002  VeriSign,  Inc.  All  rights  reserved.  VeriSign,  the  VeriSign  logo,  and  other  trademarks,  service  marks,  and  logos  are 
registered  or  unregistered  trademarks  of  VeriSign  and  its  subsidiaries  in  the  United  States  and  in  foreign  countries 


CSO:  How  did  you  talk  with  the  dealerships  prior  to  using 
VPNs  to  connect  them  with  Toyota  USA? 

Bently  Au:  We  used  dial-up  and  satellite  connectivity.  The 
dial-up  network  that  we  had  in  place  was  19.2Kbps.  New 
Web-based  apps  required  128Kbps  minimum,  so  we  had 
to  make  a  switch.  We  looked  at  frame  relay  as  well. 

Did  you  find  VPN  technology  to  be  cost-effective? 

That's  tough  to  measure.  Dealers  are  paying  for  their 
own  connections,  so  for  them  the  cost  is  higher,  but  they 
are  happy  with  what  they  got. 

Did  your  parts  suppliers  have  to  make  the  VPN  transition 
as  well? 

Our  suppliers  are  still  on  frame  relay.  They’re  waiting 
until  the  availability  is  a  little  higher  on  the  VPN.  On 
frame  relay  availability  is  99.9  percent,  but  it’s  98  per¬ 
cent  on  the  VPN.  Our  suppliers  have  some  server-to- 
server  [communications]  that  are  time-critical  and  have 
to  get  out  immediately;  they  have  a  bit  of  a  different 
requirement. 

Did  you  have  security  concerns  with  moving  to  a  VPN? 

We  weighed  the  security  options.  We  realized  that  any 
way  we  went  about  installing  the  VPN  we  could  secure  it; 
it  was  just  a  matter  of  cost.  Frame  relay  might  be  more 
secure,  but  it’s  also  more  expensive.  The  VPN  that  we 
chose  has  an  integrated  firewall  because  an  open  Inter¬ 
net  solution  would  require  us  to  do  more  SSL  [secure 
sockets  layer]  encryption  to  make  it  secure. 

We’ll  handle  any  security  concerns  that  we  have 
through  education.  [You  can’t]  address  security  through 
a  mandate.  It  behooves  CSOs  to  do  due  diligence;  lay 
down  some  security  policies,  and  educate  users  as  to 
what  your  expectations  are.  This  is  critical  for  any  busi¬ 
ness  connecting  via  a  VPN. 

In  our  case,  most  dealerships  aren’t  savvy  about  secu¬ 
rity,  and  they’re  even  less  savvy  about  privacy.  So,  we’re 
refining  dealer  agreements  now  and  putting  an  education 
network  in  place. 

What  problems  or  concerns  have  you  encountered  with 
VPNs  that  you  would  encourage  other  CSOs  to  look  for? 

The  problem  we  still  have  is  figuring  out  whether  or  not 
we  need  to  go  beyond  VPN  for  encryption.  We  currently 
use  SSL  to  encrypt  users’  passwords  when  they  log  on, 
but  we’re  wondering  if  that’s  enough. 

Security  at  the  connecting  dealerships  is  another  con¬ 
cern.  They’re  a  VPN  endpoint  for  us,  and  there’s  a  certain 
amount  of  trust  inherent  in  that  endpoint. 

CSOs  should  expect  VPN  implementation  to  take 
longer  than  they  might  think.  Getting  the  LAN  [local  area 
network]  infrastructure  together  at  all  of  our  dealerships 
took  some  time— 18  months  from  beginning  to  end.  We 
thought  it’d  be  closer  to  12  months.  ■ 

PHOTO  BY  MARK  ROBERT  HALPER 


Go  Virtual  Young 
Man,  Go  Virtual 

VIRTUAL  PRIVATE  NETWORKS  Exploring  new  frontiers  is 
often  risky.  Imagine  believing  the  world  Is  flat  and  attempting  to  sail 
around  it  anyway.  Virtual  private  networks  (VPNs)  were  once  part  of 
this  category  of  the  unknown.  But,  over  time  and  with  exploration,  it 
became  clear  that  VPNs  make  sense  for  security.  Although  they  use  a 
shared  public  infrastructure  like  the  Internet,  they  maintain  its  privacy 
with  tunneling  protocols  that  encrypt  and  decrypt  the  data  at  the 
sending  and  receiving  ends. 

VPNs  also  scale  and  allow  relatively  low-cost  international  connec¬ 
tions.  Some  claim  that  there  are  no  security  concerns  with  VPNs,  but 
we  know  better.  CSO  recently  spoke  with  Bently  Au,  manager  of  infor¬ 
mation  security  for  Toyota  Motor  Sales  USA,  which  has  implemented 
VPNs  to  connect  dealerships  with  the  corporate  mother  ship. 
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MANAGER  OF  INFORMATION  SECURITY  TOYOTA  MOTOR  SALES  USA 


YOUR  VPN  ACCESS. 

YOUR  NETWORK  ACCESS. 

YOUR  WEB  ACCESS. 

YOUR  E-MAIL  ACCESS  &  CONFIDENTIALITY. 

YOUR  COMPUTER  BOOT  &  FILES  PROTECTION. 
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YOUR  SECURE  KEY  STORAGE. 

YOUR  SECURE  CERTIEICATE  STORAGE. 

YOUR  SECURE  PASSWORD  STORAGE. 

YOUR  SECURE  KEY  GENERATOR. 


It's  your  digital  identity  organizer. 

Just  one  secure  device  for  all  your  passwords,  keys,  and  certificates. 


Aladdin's  eToken  is  strong,  reliable  2-factor  authentication  that  simplifies  your  life  while  securing  your  world, 

Stop  the  memorization  of  awkward  passwords.  Goodbye  sticky  notes.  Vastly  improve  your  organizatjbn'!s 
security.  eToken  is  the  smart  card  that  doesn't  need  a  reader  or  a  server.  It  simply  plugs  into  a  USB  port-AitH^t 
makes  eToken  easy  to  deploy  and  really  affordable.  Call  1-800-562-2543  or  go  to  eAladdin.com/^ToKert'tdfJ^^^^^^^^^  iiLb'iAV.vii.i 

request  a  free  corporate  information  kit  on  how  eToken  can  secure  your  network  and  simplify 
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METRICS 

Policies  at  Work 

The  best  security  policies  are  not  just 
implemented,  they  are  enforced.  A  recent 
Gartner  study  shows  the  types  of  security 
policies  that  large  companies  are  creating 
and  whether  they  are  enforced. 


88% 


Employees  required  to  change  passwords 


80% 


Security  policies  posted  on  company  intranet 


80% 


Entry  badges  for  premises  access 

67% 

Employer  offers  training  on  its  policies 


40% 


Employee  e-mail  monitoring 


30% 


93% 


91% 


Restrict  Net  for  personal  use 
I  Policies  consistently  enforced  Policies  in  place 


PUBLIC  SAFETY  How  do  you  alert  290  million  people  to 
imminent  disaster?  That’s  the  challenge  facing  the  Partnership  for 
Public  Warning,  a  panel  of  academic  and  private-sector  experts, 
which  is  examining  ways  to  vastly  improve  the  nation’s  emergency 
warning  systems. 

The  current  methods  of  broadcasting  emergency  information 
vary— The  National  Weather  Service  warns  of  dangerous  weather 
systems;  the  U.S.  Geological  Survey  sends  out  alerts  about  natural 
disasters  like  earthquakes;  the  CIA,  FBI  and  Department  of  Justice 
frequently  issue  separate  warnings  about  criminal  and  terrorist 
activity;  and  the  Environmental  Protection  Agency  issues  air  quality 
alerts.  The  nation’s  Emergency  Alert  System  can  reach  only  a  small 
portion  of  the  population,  and  citizens  are  so  used  to  the  annoying 
tests  of  the  system  that  their  first  impulse  is  to  change  the  channel. 

What  the  nation  needs,  according  to  Peter  Ward,  chairman  of  the 
board  of  trustees  for  the  Partnership  for  Public  Warning,  is  a  single 
system  that  can  communicate  through  a  variety  of  technology 
mediums  as  well  as  the  capability  to  target  that  information  to  only 
those  sectors  of  the  country  that  will  be  directly  affected.  “What’s 
needed  are  professional  standards,’’  says  Ward.  “Technology  is  not 
the  problem;  the  technology  is  way  ahead  of  everything  else.”  The 
partnership  is  bringing  together  the  different  stakeholders  that 
have  ownership  of  the  current  emergency  systems  in  federal,  state, 
local  industry  and  emergency  services  to  discuss  and  vet  recom¬ 
mendations.  The  goal  is  to  develop  a  system  that  will  communicate 
with  a  broad  range  of  devices— like  TVs,  cell  phones  and  pagers— 
so  that  in  an  emergency  devices  that  receive  the  emergency  broad¬ 
cast  codes  would  respond  appropriately.  “Within  10  years,  all 


SOURCE:  “ENTERPRISE  SECURITY  TRENDS."  AN  AUGUST  2002  GARTNER 
SURVEY  OF  422  COMPANIES  IN  A  VARIETY  OF  INDUSTRIES 


Americans  should  have  access  to  such  a  system,”  says  Ward. 

-Daintry  Duffy 


Faster  than  a  Speeding  Megabit 


ENCRYPTION  What  do  encryption  and 
Superman  have  in  common?  Like  the  Man 
of  Steel,  encrypted  information  can  now 
travel  at  the  speed  of  light.  Scientists  at 
Northwestern  University  can  protect  data 
by  transforming  encrypted  material  into 
pulses  of  light.  Called  quantum  cryptogra¬ 
phy,  the  technique  sends  the  light  pulses 
over  fiber-optic  lines  at  250Mbps. 

Users  get  keys  to  encode  and  decode  the 
encrypted  information.  The  data  is  sent  within 
bursts  of  light.  If  anyone  tried  to  crack  the 
code,  there  would  be  nothing  to  see,  not 
even  the  Is  and  Os  composing  the  algorithms 
on  which  other  encryption  technologies  are 
based.  “The  only  way  a  hacker  could  get 
around  the  protections  of  light  would  be  to 


break  the  physical  laws  of  nature,"  says  Prem 
Kumar,  professor  of  electrical  and  computer 
engineering  and  physics  and  astronomy  at 
Northwestern.  “These  laws  have  stood  the 
test  of  time  for  100  years.” 

Funded  by  a  grant  from  the  U.S.  govern¬ 
ment’s  Defense  Advanced  Research  Projects 
Agency,  Kumar's  research,  and  its  apparent 
invulnerability  to  hacks,  will  be  of  interest  to 
the  military.  Northwestern  is  also  working  with 


BBN  Technologies  to  commercially 
market  the  technique. 

However,  quantum  cryptography 
does  have  its  limitations.  To  date,  the 
technology  has  only  been  tested  over 
a  maximum  of  four  kilometers  of  fiber; 
most  fiber-optic  networks  stretch  over 
hundreds  or  thousands  of  miles.  And  while 
250Mbps  Is  more  than  1,000  times  faster 
than  previous  attempts  at  quantum  crypt¬ 
ography,  it’s  considered  relatively  slow 
compared  with  the  speed  of  data  over 
fiber-optic  lines.  -Simone  Kaplan 

To  offer  comments,  feedback  or  suggestions, 
e-mail  c5obnefing@cxo.com. 
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Game  Over 


Imagine  an  intrusion  protection  system  that  actually  anticipates  a  hacker's 
behavior.  Checkmate  is  the  newest  breed  of  intrusion  protection,  and  the 
first  to  truly  combine  behavioral  and  computer  sciences.  Created  by 
nationally  recognized  experts  in  psychological  assessment  and  network 


NEW  Checkmate 


security,  Checkmate  assesses  a  hacker's  intent  and  prevents  damage 


before  it  occurs.  For  more  information, 
visit  www.psynapsetech.com 


The  first  intrusion  protection  system  that 
can  anticipate  a  hacker's  next  niove. 


Ti  ,e  Who,  What  and  Why  of  Washington 

Top  Billing 

NEWS  FROM  INSIDE  THE  BELTWAY 


Liability  Limits 

To  promote  public  safety,  the  U.S.  government  has  agreed  to  protect 
companies  that  create  antiterrorism  technologies.  But  only  to  a  point. 

By  Julie  Hanson 


HE  RECENTLY  approved 
Homeland  Security  Act  includes  funding  for 
the  research  and  development  of  antiterror¬ 
ism  technologies.  In  fact,  the  federal  govern¬ 
ment  estimates  that  it  needs  $45  billion 
■worth  of  funding  to  combat  terrorism  in 
EY  2003  alone.  In  order  to 
encourage  private  industry  to 
develop  these  new  technologies, 
the  government  -will  accept  liabil¬ 
ity  for  products  if  they  fail  in 
another  catastrophe  such  as  9/11. 

The  lawmakers  hope  that  this 
shift  in  liability  churns  the  cre¬ 
ative  juices  needed  to  protect 
the  country. 

The  Safety  Act  (Support  Anti¬ 
terrorism  by  Eostering  Effective 
Technologies)  of  2002  protects 
new  technologies  deemed  by  the 
government  as  antiterrorism  technologies 
and  placed  on  the  Homeland  Security 
Depaifment’s  Approved  Product  List  for 
Homeland  Security.  In  short,  it  protects  tech¬ 
nologies  designed  or  developed  for  the  spe¬ 
cific  purpose  of  preventing,  detecting, 
identifying  or  deterring  terrorism. 

Information  Technology  Association  of 
America  President  Harris  Miller  calls  this 
piece  of  legislation  key  to  the  advancement 
of  antiterrorism  systems.  During  the  past 
year,  he  claims  to  have  seen  a  decrease  in  the 
number  of  companies  bidding  for  govern¬ 
ment  contracts— mostly  because  companies 
do  not  want  to  be  liable  for  catastrophic 
losses.  “These  companies  were  being  asked 
to  bid  on  contracts  that  if  they  won  and— 
heaven  help  us— something  happened,  they 
could  literally  have  lost  their  companies 
because  lawsuits  could  put  them  out  of 
business,”  says  Miller. 


Miller  gives  the  example  of  a  company 
working  on  new  technologies  to  secure  air¬ 
ports.  Say  you  develop  a  new  scanner  de’vice 
that  detects  explosives,  but  a  terrorist,  who 
has  found  a  way  to  get  past  your  system, 
brings  a  bomb  on  a  plane  and  it  crashes.  If 
this  liability  clause  did 
not  exist,  the  software  or 
hardware  maker  of  this 
new  technology  could  be 
held  liable  for  any  deaths 
or  damages  associated 
■with  the  crash. 

But  this  exemption 
doesn’t  give  blanket  cov¬ 
erage  to  vendors  looking 
to  develop  subpar  prod¬ 
ucts.  Lawsuits  asking  for 
damages  are  not  banned, 
and  if  a  company  has 
misrepresented  itself  to  the  government,  the 
liability  protection  disappears.  Vendors  are 
required  to  obtain  the  maximum  amount 
of  liability  insurance  for  any  antiterrorism 
product  they  develop.  “This  is  not  a  [situa¬ 
tion]  where  companies  can  produce  anything 
they  want.  Congress  is  not  going  to  step  for¬ 
ward  and  give  corporations  that  kind  of  out,” 
says  Miller. 

This  practice  of  government  assuming 
liability  is  not  a  new  one.  Eor  more  than 
50  years,  the  Department  of  Defense  has 
assumed  liability  for  experimental  weapons 
development,  says  Miller.  And  since  9/11,  the 
government  has  even  stood  behind  health¬ 
care  companies  such  as  those  developing  the 
anthrax  antidote  Cipro.  Miller  says  since  the 
government  asked  the  producers  of  Cipro  to 
produce  a  mass  amount  of  the  product  in  a 
short  time,  they  assumed  liability  if  the 
antidote  did  not  work.  Miller  says.  ■ 


The  federal  government  received  an 
overall  grade  of  F  on  the  annual 
Computer  Security  Report  Card, 

conducted  by  Rep.  Stephen  Horn 
(R-Calif.).  Fourteen  of  the  24  agencies 
reviewed  failed,  with  the  highest 
grade— a  B— going  to  the  Social  Secu¬ 
rity  Administration.  Last  year,  the  gov¬ 
ernment’s  overall  score  was  a  also  an  F. 

Former  National  Security  Adviser  John 
Poindexter  has  been  put  in  charge  of 
the  controversial  Defense  Department’s 
Total  Information  Awareness  sys¬ 
tem.  This  proposed  surveillance  system 
would  have  the  capability  of  searching 
vast  quantities  of  worldwide  data  look¬ 
ing  for  links  and  patterns  indicative  of 
terrorist  activities. 

Feb.  10-28,  the  U.S.  Joint  Forces 

Command  will  conduct  text-mining 
tests  to  determine  how  well  the  United 
States,  in  addition  to  other  test  partici¬ 
pants  Australia,  Canada,  Germany  and 
the  United  Kingdom,  can  mine  and  then 
communicate  critical  information  in  a 
crisis  situation. 

Computer  equipment  that  stored  the 
confidential  files  of  more  than  500,000 
military  personnel  and  their  families 
was  stolen  from  the  Phoenix-based  Tri- 
West  Healthcare  Alliance.  The  informa¬ 
tion  includes  names,  addresses  and 
Social  Security  numbers.  The  health¬ 
care  company  is  offering  a  $100,000 
reward  to  anyone  who  comes  forward 
with  information  that  leads  to  an  arrest. 


For  more  about  what’s  happening 
in  Washington,  visit  our  website  at 

www.csoonline.com/wonk. 
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Can  your  network  pass  the 
SANS/FBI  security  test? 


The  Federal  Bureau  of  Investigation  and  the  SANS 
Institute,  an  independent  association  of  more  than 
156,000  information  security  professionals  in 
October  2002  published  a  roster  of  the  Top  20 
Internet  security  vulnerabilities.  Successful  intrusions 
of  Internet  connected  systems  usually  exploit  one  or 
more  of  these  flaws.  You  need  to  know  which  ones 
you’ve  got  to  ensure  your  network  is  secure. 


Qualys  makes  that  easy  -  and  free. 

Find  out  now  at  http://sans20.qualys.com 


Qualys  is  the  only  company  that  offers  you  a 
completely  automated  vulnerability  assessment  service 
over  the  web.  It  includes  the  most  comprehensive 
vulnerabilities  database,  so  you  get  the  most  accurate 
assessment  of  your  network  security.  And  because  our 
subscription  service  is  delivered  over  the  Web,  there 
is  no  extra  cost  for  deployment  or  maintenance. 


Find  out  in  minutes  at 
http://sans20.qualys.com 


For  product  information,  call  toll-free  1-800-745-4355  or  visit  www.qualys.com.  ©  2003  Qualys  Corporation,  all  rights  reserved 


Security  Counsel 


Ijobbying  For 
and  Defending 
Your  Budget 

Aon’s  CISC  Tina  LaCroix  answers  readers'  questions  about 
selling  security  in  the  boardroom 

Q:  I  am  finding  that  security  must  be  sold  to  board  members  in  terms  of  the 
opportunity  cost  versus  the  cost  of  not  doing  it.  Unfortunately,  things  need  to 
be  communicated  with  respect  to  their  impact  on  bottom-line  growth  these 
days.  Do  you  have  any  suggestions  on  how  to  communicate  security  budget 
needs  effectively? 

A:  The  downside  costs  of  not  having  a  stated,  sustained  IT  security  program 
are  greater  now  than  ever.  Corporate 
officers  are  expected  to  exercise  “due 
care”  with  respect  to  protecting  the 
assets  of  the  organization.  Informa¬ 
tion  is  one  of  the  largest  assets  that 
many  organizations  have.  Before  con¬ 
vincing  the  hoard  of  directors  of  the 
need  for  security  funding,  your  corpo¬ 
rate  officers  need  to  be  aligned  with 
your  proposed  strategy. 

Have  you  gone  through  the  exercise 
of  identifying  your  company’s  core 
systems  and  data?  Once  that  is  identi¬ 
fied,  place  a  dollar  value  on  what  the 
cost  would  be  to  have  this  information 
in  the  wrong  hands  (disgruntled 
employee,  ex-employee,  data  broker, 
competitor).  Focus  on  the  desired 
end-results  and  place  a  value  on  these 
items  (reputation,  revenue  growth, 
retained  earnings).  This  too  will  factor  into  understanding  how  much  to  spend 
on  security  and  where  to  focus  your  spending.  With  that  information  in  hand 
you  can  begin  to  craft  a  reasonable,  sustainable  security  strategy.  Draft  a  three- 
to  five-year  security  road  map  that  clearly  depicts  what  you  plan  to  do,  why  you 
propose  doing  so  and  what  the  risks  are  of  not  moving  ahead. 

Board  members  understand  the  concepts  around  mitigating  controls  and 
risk  management.  Begin  to  think  and  speak  in  those  terms.  Accountability  is 
of  the  utmost  importance  on  the  mind  of  board  members,  C-level  officers  and 
auditors.  A  company  without  a  documented,  funded  and  sustained  program 
around  information  protection  is  engaged  in  risky  business. 


Q;  How  do  you  convince  the  board  not  to  slash  your 
security  budget  when  you  haven't  had  any  security 
breaches,  and,  because  of  that,  they  feel  like  less 
money  can  be  put  toward  security? 

A:  First  of  all,  I  applaud  you  and  your  team— it  seems 
as  though  you  have  found  the  optimal  balance  between 
security  and  business  productivity  in  your  environ¬ 
ment.  The  core  function  of  IT  security  is  to  protect 
the  company’s  critical  data  and  its  information  assets. 
Since  total  protection  is  not  possible,  I  suspect  that 
there  are  chinks  in  the  armor  somewhere.  All  your 
security  tools  and  programs  require  refreshing  and 
updates.  The  core  infrastructure  team  must  keep 
pace  with  technology  so  that  you  can  provide  the 
most  up-to-date  protection  to  them  as  well.  All  of 
that  costs  money.  I  suggest  a  security  scorecard  that 
depicts  your  core  business  areas,  the  security  technolo¬ 
gies,  the  awareness  programs  and  the  percentage  of 
compliance  that  each  has. 

In  this  time  of  heightened  regulatory  and  compliance 
responsibility,  most  companies  find  themselves  under 
scrutiny  by  government  agencies,  clients  or  third-party 
business  partners.  As  you  renew  contracts,  you  will 

find  more  and  more  language  about 
your  security  practices  included, 
plus  requests  for  statements  of 
policy,  practice  and  technology 
strategy. 

Looking  ahead,  that  trend  will 
continue  and  those  groups  will  seek 
formal  assurance  and  verifiable 
proof  of  your  policies  and  practices 
while  handling  their  business.  The 
services  around  hiring  a  third  party 
to  assess  and  certify  your  security 
practice,  contracting  for  a  SAS-70 
or  other  security  audits  are  fairly 
expensive— typically  fees  start  at 
about  $70,000. 

Due  care  and  due  diligence 
are  in  order  regardless  of  the  line 
of  business  you  are  in.  Finally,  I 
might  suggest  discussing  your 
concerns  vsfith  your  colleagues  in  compliance,  audit 
and  legal;  you  might  find  some  interesting  perspectives 
to  help  build  your  case.  ■ 


Have  a  security  topic  to  suggest  or  an  expert  you’d 
iike  to  hear  from?  Send  your  thoughts  to  Assistant 
Managing  Editor  Kathieen  Carr  at  kcarr@cxo.com. 
Go  oniine  to  see  what  your  peers  are  discussing  at 
www.csoonline.com/counsel. 
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■  What  is  the  key  to  securing  your  customers'  trust? 

I 

TheVeriSigii  Secure  Site  Seal.  Voted  the  #1  sign  of  trust  on  the  Internet. 


Whether  you  are  building  an  e-commerce  Web  site  or  securing  internal  networks,  communicate  the  integrity  of  your  company  and  the 
security  of  your  servers  by  posting  the  VeriSign®  Secure  Site  Seal.  Recognized  as  a  symbol  of  security  and  legitimacy,  the  Secure  Site  Seal 
is  a  leading  sign  of  trust  on  the  internet.  To  get  a  free  copy  of  the  guide  "Securing  Your  Web  Site  For  Business",  piease  call  1-866-893-6565 
option  3,  or  visit  www.verisign.com/dm/freeguide/063/ 
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Free  Parking 

New  legislation  gives  security  the  power 
to  trump  customer  privacy 

By  David  H.  Holtzman 


IGHT  BEFORE  THANKSGIVING, 
an  old  mustachioed  gent  clad  in  tails  and  a  top  hat 
raced  around  the  boardwalk  to  every  service  provider’s 
data  center  and  left  a  present.  The  gift  was  a  little  orange 
“Get  Out  of  Jail  Free”  card,  and  after  the  delivery  he  sped  off 
in  his  teeny  silver  sports  car. 

The  security  world  may  not  correspond  exactly  to  a  Monopoly  board, 
but  the  Homeland  Security  Act  and  one  of  its  provisions,  the  Cyber  Security 
Enhancement  Act  of  2002  (CSEA),  did  change  the  rules  of  the  game  forever.  This 
act  gives  service  providers  and  some  manufacturers  a  permanent  home-team 
advantage  in  the  matchup  between  security  and  privacy.  In  the  same  vein  as  the 
litigation  exemption  for  smallpox  vaccine  manufacturers,  the  CSEA  protects  ISPs 
against  security-triggered  disasters  that  could  occur  if  service  providers  pass  con¬ 
taminated  data  from  their  clients  on  to  government  sources.  Even  though  this  law 
is  targeted  at  ISPs,  the  language  is  vague  and  could  be  interpreted  in  a  universally 
applicable  way.  Only  time  and  the  courts  will  clarify  the  ambiguity. 

Some  highlights  of  the  CSEA  include: 

■  Companies  can  give  their  customers’  electronic  information  (e-mail,  chat, 
phone  records,  purchases)  to  government  employees  without  legal  documents  or 
court  warrants.  This  applies  to  any  government  employee— regional  as  well  as 
federal.  This  includes  park  rangers  and  schoolteachers,  not  just  law  enforcement 
agents. 

■  The  information  does  not  have  to  be  offered  in  response  to  a  request.  It  can  be 
reported  at  the  initiative  of  the  company. 

■  The  litmus  test  is  an  “immediate  threat  to  a  national  security  interest.”  The  com¬ 
pany  gets  to  make  this  determination.  The  bill  gives  no  guidelines  on  what  those 
terms  mean. 

■  If  the  company  shows  “good  faith”  in  pro\iding  the  information,  it  is  free  from 
resulting  customer  litigation. 

■  Businesses  that  report  internal  security  problems  are  shielded  from  customer 
litigation,  and  the  reports  are  exempt  from  Freedom  of  Information  Act  requests. 

This  is  why  I  call  It  a  Get  Out  of  Jail  Free  card.  As  a  corporate  executive.  I’m  relieved 
to  know  that  I  have  the  Cyber  Security  Enhancement  Act  in  my  back  pocket.  As 
a  security  professional.  I’m  afraid  that  I’m  going  to  turn  into  the  Maytag  repair¬ 
man— the  loneliest  guy  in  town.  It’s  easy  to  forget  about  security  when  you  don’t 
have  to  woriy  about  lawsuits. 

So  CSOs,  in  the  spirit  of  playing  the  game,  here  is  my  not-so-serious  advice  for 
cashing  in  on  the  opportunity: 


When  security  problems 
arise,  immediately  disclose  them 
to  the  government,  and  take 
advantage  of  the  immunity  from 
disclosure  to  shareholders.  En¬ 
courage  your  operations  staff  to 
read  all  employee  e-mail.  Post  the 
good  ones  in  the  coffee  room,  and 
give  a  weekly  prize  to  whomever 
finds  the  most  outrageous  one. 
Since  you  are  not  cleared  to 
know  what  an  actual  national 
security  interest  is,  make 
sure  you  use  the  words  good 
faith  as  often  as  possible  in 
"jg  memos.  If  you  take  the  dra¬ 
conian  step  of  limiting  which 
employees  get  to  read  the  good 
e-mails,  make  sure  that  you  clearly 
identify  them  to  avoid  confusion.  Have 
them  wear  colored  armbands  with  easily  recognizable 
symbols— one  for  the  guy  who  gets  to  read  all  e-mail  love 
letters,  another  for  the  person  scanning  all  the  personal 
health-care  information,  and  so  on.  By  the  way,  you 
shouldn’t  just  expect  your  people  to  know  how  to  profile. 
Run  a  diversity  training  class  that  teaches  the  significance 
of  surnames  and  other  personal  identifiers.  Be  creative  in 
your  attempts  to  spot  the  bad  guys.  Run  pattern  searches 
for  words  that  you  think  are  suspicious.  You  can  include 
book  titles  like  The  Catcher  in  the  Rye,  big  words  like  xeno¬ 
phobia  or  ethnic  words  like  hummus.  While  you’re  at  it,  it’s 
also  reasonable  to  be  suspicious  of  customers  who  are  too 
clean  and  who  don’t  use  any  suspicious  terminology.  Let’s 
face  it,  they’re  probably  hiding  something,  so  you  better 
watch  them  too.  And,  just  for  the  heck  of  it,  report  every¬ 
one  who  uses  encryption.  People  who  use  that  much  secu¬ 
rity  are  bound  to  be  involved  in  something  shady. 

Seriously,  though,  it’s  a  little  depressing  that  the  expe¬ 
rience  gained  from  years  of  protecting  our  customers’  pri¬ 
vacy  is  now  as  outmoded  as  funding  for  a  dotcom  or 
demand  for  a  VCR.  With  this  bill  and  the  spirit  behind  it, 
we  may  have  reached  the  tipping  point  of  privacy  in  our 
society.  It’s  hard  to  imagine  any  company  refusing  to  com¬ 
ply  with  a  request  from  the  government  no  matter  what 
business  they’re  in,  and  eventually  it  will  affect  CSOs  in  all 
U.S.  industries.  The  million-dollar  question  is  whether 
the  exemption  from  lawsuits  will  apply  to  cooperative 
non-ISPs.  They  might  have  to  Go  Directly  to  Jail.  ■ 

David  H.  Holtzman,  former  CTO  of  Network  Solutions,  also  worked  as  a 
cryptographic  analyst  with  the  U.S.  Navy  and  an  intelligence  analyst  at 
DEFSMAC.  He  can  be  reached  at  davidi^globalpov.com.  Send  feedback  and 
column  ideas  to  Senior  Editor  Daintry  Duffy  at  dduffy^^cxo.com. 
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Now  you  can  know 
what,  when,  where 
and  how  data  change 
has  occurred. 


Tripwire®  assures  the  integrity  of  your  data 
and  gives  you  the  ability  to  effectively 
pinpoint  and  manage  undesired  change 
across  all  your  servers  and  network  devices. 
By  establishing  a  baseline  of  data  in  its 
known  good  state,  Tripwire  software  monitors 
and  reports  any  changes  to  that  baseline 
and  enables  rapid  discovery  and  recovery 
when  an  undesired  change  occurs. 

Maximize  System  Uptime 

■  Identify  change  quickly 
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find  and  diagnose  problems 


Tripwire’s  data  integrity  assurance  solutions 
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that  your  systems  remain  uncompromised. 
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how  change  has  occurred  so  you  can 
recover  quickly. 
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Powerful  insights. 

Actionable  ideas. 

Great  Networking. 
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AN  AGENDA  FOR  PROFESSIONAL 
^#1^#  AND  PERSONAL  SUCCESS 

Hyatt  Regency  Coconut  Point  Resort  &  Spa  •  Bonita  Springs,  Florida  •  April  27-29, 2003 


SUNDAY,  APRIL  27 

8:00  am-l:30  pm 

Golf  Tournament 

3:00  pm-5:00  pm 

Registration 

6:00  pm-8:00  pm 

Registration,  Welcome 
Reception  &  Golf  Awards 
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Hyatt  Regency  Coconut 
Point  Resort  &  Spa 

The  Hyatt  Regency  Coconut 
Point  Resort  &  Spa  is  surrounded 
by  sparkling  water,  lavish  gar¬ 
dens,  manicured  golf  courses 
and  a  picturesque  marina. 

Extend  your  stay,  or  treat  the 
family  to  the  tropical  climate  of 
Florida's  beautiful  southwest 
coast,  with  nearby  beaches  and  a 
12-acre  environmental  preserve. 
Enjoy  the  18-hole  Raymond 
Floyd-designed  championship 
golf  course,  the  tennis  courts,  the 
pools,  or  fly-fishing  lessons.  Take 
advantage  of  the  European  spa 
and  fitness  center,  and  the  exten¬ 
sive  Camp  Hyatt  program  for 
kids.  Find  great  designer  bar¬ 
gains  at  over  100  stores  in  the 
Miromar  Outlets. 


MONDAY,  APRIL  28 


7:00  am-8:00  am 

Networking  Breakfast 


8:00  am-8:15  am 

Welcome 


8:15  am-9:15  am 

The  Complete  CIO 

CHARLIE 
FELD 

Founder,  The 
Feld  Group  & 
Former  CIO  of 
First  Data 

Hesources,  Delta  Air  Lines, 
Burlington  Northern  and 
Frito-Lay 

The  CIO  role  has  evolved 
dramatically  over  the  past 
several  years;  the  nature  of  the 
job  is  more  complex  than  ever— 
and  the  tough  economic 
climate  necessitates  keeping  an 
ever-vigilant  eye  on  bottom-line 
pressures.  CIOs  increasingly 
have  more  of  a  hand  in  defining 
and  driving  corporate  business 
strategy.  And  everyone— 
business  line  managers,  the 


ABBIE 
LUNDBERG 

Editor  in  Chief, 
CIO  Magazine 

JONATHAN 
ZITTRAIN 

Conference 
Moderator  and 
Co-founder 
The  Berkman 
Center  for 
Internet  & 
Society,  Harvard  Law 
School 


executive  management  team, 
the  CEO,  the  Board  of  Direc¬ 
tors— has  greater  expectations 
of  their  CIO.  What  are  the 
essential  skills  and  attributes 
needed  to  thrive  in  the  CIO  role 
today?  Oharlie  Feld  talks  about 
his  own  experiences  overtime 
as  CIO  of  very  diverse  busi¬ 
nesses,  and  what  his  client 
companies  demand  today 
as  they  look  to  the  CIO’s 
organization  to  continually  help 
transform  the  company. 

9:15  am-9:40  am 

State  of  the  CIO  Survey 
Results  Highlights 

LORRAINE 
COSGROVE 

Research 
Editor,  CIO 
Magazine 

9:40  am-10:30  am 
View  from  the  Top: 
Creating  Value  Through  IT 

A  top  executive  shares  his 
viewpoint  on  the  role  of  IT, 
and  the  criteria  for  measuring 
a  CIO’s  ability  to  articulate 
and  delivertrue  IT  value  to  the 
enterprise. 

10:30  am-ll:00  am 

Coffee  Break  and  Sponsor 
Exhibits 

11:00  am-ll:45  am 

Sponsor  Briefings 

11:55  am-12:40  pm 

Sponsor  Briefings 

12:45  pm-2:15  pm 


Networking  Lunch 

2:30  pm-3:45  pm 

View  from  the  Front  Lines: 
Delivering  Value 
Through  IT 

Moderator:  JONATHAN 

ZITTRAIN 

PARTICIPANTS: 

HOWARD  RUBIN 

Vice  President, 

META  Group,  Inc. 

A  blue-ribbon  panel  of  execu¬ 
tives  discuss  making  the 
business  case  for  IT  initiatives, 
the  do’s  and  don’ts  of  portfolio 
management,  critical  success 
factors  in  doing  post-imple¬ 
mentation  audits— and  the 
importance  of  clear  communi¬ 
cating  all  along  the  way. 


3:45  pm-5:00  pm 

The  CIO  Interview 

MONTE  FORD 

Senior  Vice 
President  & 
CIO,  American 
Airlines 

Ford  took  on  the 
top  IT  spot  at  the  world’s 
biggest  airline  at  the  end  of 
2000,  then  had  to  deal  with  the 
acquisition  and  merger  of  TWA, 
the  economic  recession.  Sabre 
selling  its  outsourcing  business 
to  EDS— and  the  events  of  9/11. 
CIO  magazine  editor  in  chief 
Abbie  Lundberg  talks  with  Ford 
about  his  pivotal  role  in  the 
organization  and  his  plans  for 
the  future  of  IT. 


5:00  pm-6:30  pm 

CIO  Peer-to-Peer 
Networking  &  Reception 

TUESDAY,  APRIL  29 

7:00  am-8:00  am 

Breakfast  &  Informal 
Discussion  Roundtables 

8:00am-8:45am 
What  Every  CIO  Should 
Know  About  Digital  Rights 
Management 
JONATHAN  ZITTRAIN 
Entertainment  companies 
aren’t  the  only  ones  with  digital 
content  worth  safekeeping. 
More  companies  now  are 
realizing  the  potential  threats 
and  are  seriously  weighing  the 
risks  of  not  implementing 
digital  rights  management 
(DRM)  technologies.  These 
technologies  can  leverage  your 
work  if  you  produce  content— 
and  confound  it  if  you  consume 
it.  They  are  infusing  everything 
from  video  to  text.  Zittrain 
explores  recent  trends  in  DRM 
deployment,  and  discusses 
the  impact  on  businesses  of 
all  types. 

8:45  am-9:45  am 

Best  Practices  for  Evaluat¬ 
ing  Hot  New  Technologies 
Moderator: 
MARTHA 
HELLER 
Director,  CIO 
Magazine's 
Best  Practice 

Exchange^' 

It's  the  universal  problem  for 
CIOs:  hot  new  technologies 
confront  you  daily  and  you  need 
to  make  the  decision  to  adopt 
or  ignore  every  single  time.  If 
you  hop  on  the  hype,  you  could 
risk  millions— along  with  your 
reputation— but  if  you  hang 
back  and  wait,  you  could  miss 
the  boat.  This  panel  of  CIOs, 
drawn  from  the  CIO  Best 
Practice  Exchange,  CIO  Maga¬ 
zine’s  private  online  network  of 
senior  IT  executives,  offers 
practical  advice  for  evaluating 
the  "next  best  thing.’’ 


9:45  am-10:30  am 
Becoming  a  Trusted 
Business  Partner 

The  CIO’s  sphere  of  influence 
has  never  been  larger.  You  must 
work  with  executive  manage¬ 
ment  and  peers,  internal  and 
external  customers,  line  of 
business  directors,  staff  and 
vendors.  You  must  set  and 
achieve  both  strategic  and 
tactical  goals,  articulate  and 
demonstrate  ROI,  communicate 
and  manage  expectations. 

One  CIO  shares  the  benefit  of 
their  experience. 

10:30  am  —11:00  am 

Coffee  Break  & 

Sponsor  Exhibits 

11:00  am-ll:45  am 

Sponsor  Briefings 

11:55  am-12:40  pm 

Sponsor  Briefings 

12:45  pm-2:00  pm 

Networking  Lunch 

2:15  pm-3:30  pm 
InFocus  Workshop 
Breakout  Sessions 

InFocus  Workshops  are 
designed  to  give  conference 
attendees  the  opportunity 
to  meet  in  smaller  groups,  and 
discuss  specific  topics  and 
issues  in  greater  detail. 

3:45  pm-4:45  pm 

Developing  the  Next 
Generation  of  IT  Leaders 

Moderator: 
RICK 

SWANBORG 

President, 

ICEX 

In  addition  to 
honing  their  own  leadership 
abilities,  CIOs  are  concerned 
with  identifying  and  developing 
effective  leaders  in  their 
organizations.  How  do  you  train 
the  technical  staff  to  better 
understand  and  communicate 
with  the  business  side?  How  do 
you  pick  the  person  to  spear¬ 
head  a  key  initiative?  How  do 
you  effectively  delegate  respon¬ 
sibility?  Swanborg  and  a  panel 
of  CIOs  discuss  the  challenges 


involved,  and  share  the  tech¬ 
niques  they’ve  used  to  mold  the 
next  generation  of  IT  leaders. 

4:45  pm-5:30  pm 
How  to  Get  a  Life 

DR.  RICK 
BRINKMAN 

Doctor  of 
holistic  medi¬ 
cine  and 
author  of  Life 
By  Design:  Making  Wise 
Choices  in  a  Mixed-Up 
Worid,  and  Dealing  with 
People  You  Can’t  Stand 

With  the  Internet,  cell  phones, 
laptops,  wireless,  and  loads  of 
other  nifty  gadgets,  we  can  now 
work  anytime  from  anywhere  in 
today’s  24/7  global  business 
environment.  Some  say  it’s 
wonderful  because  it  gives  us 
and  our  employees  more 
flexibility.  Others  think  it’s 
terrible  because  it  means  we’re 
expected  to  be  on  call  all  the 
time.  Either  way,  it’s  a  fact  of 
life.  Dr.  Rick  looks  at  why  it’s 
increasingly  important  to 
maintain  a  healthy  balance 
between  Life  and  Work. 

5:30  pm-5:45  pm 

Closing  Summary 
JONATHAN  ZITTRAIN 

5:45  pm-6:45  pm 

Networking  Reception 

7:30  pm-9:30  pm 

CIO  Dinner  Party 


“Superb  opportunity  to 
network,  learn,  share, 
and  a  great  reality 
check.” 

Mike  Nogle,  VP  &  CIO, 

Tab  Products 

“The  CIO  Perspectives 
conference  is  the  most 
valuable  executive 
conference  that  I  have 
attended.” 

Richard  Yanke,  Sr.  VP  &  CIO, 
Three  Rivers  Bank 

“If  you  can  only  attend 
one  IT  management 
conference,  CIO 
Perspectives  is  IT!” 

Phil  Go,  CIO,  Barton  Malow 


Visit  us  at 
www.cio.com/ 
conferences  or 
cal!  800  366-0246 


The  Resource  for 
Information  Executives 
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Two  former  colleagues  square  off  to  debate  the  proper  design 
'  of  security  leadership,  the  division  of  roles  and  responsibilities, 
the  curse  of  smarty-pants  arrogance,  and  the  need  for  more 
and  better  communication. 


GEORGE  CAMPBELL  DOESN’T  PULL  PUNCHES.  TRUST  US.  AFTER 
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•131  w'TT  T  '  was  published,  the  former  CSO  of  Fidelity  sent 

US  a  terse  rnJssive  about  what  he  thought  was  a  fundamental  flaw 


IN  THIS  STORY: 

Where  the  CSO 
and  CISO  roles 
meet  and  compete 
■  How  the  two  can 
work  together 
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BILL  SPERNOW, 
CISO,  says  CSOs 
cannot  appreciate 
the  technical 
challenges  of 
a  CISO. 


Head-to-Head 


In  fact,  Campbell  views  that  bias  as  a  sort 
of  epidemic  spreading  through  the  security 
community.  He’s  concerned  when  he 
obseiwes  that  CISOs  have  “captured”  the 
title  of  CSO  without  really  having  the  requi¬ 
site  skill  set.  And  he’s  frustrated  by  what  he 
views  as  “intellectual  arrogance”  on  the  part 
of  IT-centric  information  security  officers. 
(OK,  he  actually  calls  them  “propeller 
heads,”  but  they  started  it,  he  says,  by  sug¬ 
gesting  that  CSOs  are  just  retired  cops  who 
don’t  understand  technology.) 

Of  course,  we  couldn’t  resist  a  good  fight. 
To  that  end,  we  had  to  find  a  counterpart  to 
Campbell,  a  CISO  who  would  go  head-to- 
head  with  him.  We  got  Georgia  Student 
Finance  Commission  CISO  Bill  Spernow.  To 
our  delight,  we  learned  that  Spernow  once 
worked  for  Campbell  at  Fidelity.  So  it  wasn’t 
a  surprise  when  Campbell  started  the  con¬ 
versation,  which  Senior  Editor  Scott  Beri- 
nato  moderated,  by  saying,  “I’m  surprised 
your  parole  officer  let  you  do  this.  Bill.” 
Spernow  ended  the  conversation  by  tipping 
his  hat  to  his  old  mentor:  “Good  to  see 
you’re  still  out  there  making  people  uneasy, 
George.” 

CSO:  We  were  turned  on  to  this  idea  by  you, 
George,  when  you  wrote  to  us  about  this  topic. 
You  read  the  first  issue,  and  the  letter  didn’t 
read  like  you  were  surprised  by  the  focus  on 
IT— disappointed  certainly,  but  not  surprised. 
Campbell:  Well  sure.  I’ve  actually  had  sev¬ 
eral  people  send  me  responses  to  the  letter 
you  published.  Here’s  one  I  got  recently: 

“I  read  your  letter  in  CSO  magazine  with 
interest.  FYI,  attached  please  find  an  execu¬ 
tive  summary  of  a  CSO  leadership  program 
prepared  by  the  Center  for  National  Soft¬ 
ware  Studies.  This  program  focuses  on  IT 
security  and  the  role  of  the  CSO.”  I  re¬ 
sponded  to  that  clown  as  follows:  “[Sir], 
thanks  for  the  information.  As  I  indicated 
to  CSO  magazine,  what  you  and  others  are 
describing  is  a  CISO,  with  an  emphasis  on 
the  I.”  I  can  only  conclude  that  this  guy 
either  doesn’t  read  or  doesn’t  understand 
what  he’s  reading  because  I  made  it  fairly 
clear  that  the  CISO  deals  with  some  of  the 
most  critical  assets  of  any  modern  corpora¬ 
tion.  But  the  role  is  nevertheless  narrower 
by  some  significant  measure— depending  on 


what  the  asset  base  is  of  a  company— than 
that  of  a  CSO  who  has  to  investigate,  do 
background  vetting,  due  diligence  exami¬ 
nation,  business  continuity  planning,  secu¬ 
rity  operations,  first  response— the  whole 
nine  yards. 

I  get  offended  when  I  see  the  CSO  title 
being  captured.  Why  do  they  feel  com¬ 
pelled— Bill,  why  do  you  feel  compelled— to 
take  that  title,  which  to  me  doesn’t  imply 
what  their  job  is? 

Spernow:  Well,  because  George  is  right, 
and  George  is  wrong. 

Campbell:  He  used  to  say  the  same  thing 
when  he  worked  for  me.  [Laughs.] 

Spernow:  From  the  percentage  of  organiza¬ 
tions  that  reflect  your  experience,  George, 
you’re  right.  But  you  represent  only  5  per¬ 
cent  of  the  population  of  folks  doing  any 
type  of  security.  But  because  that  5  percent 
has  high  \dsibility,  it  represents  most  of 
what  happens.  That  5  percent  gets  the  press. 


and  as  a  result,  the  other  95  percent  is  strug¬ 
gling  with  trying  to  figure  out  how  it’s  going 
to  make  its  security  stuff  compatible  wdth  its 
infrastructure  and  IT  culture,  which  prima¬ 
rily  hasn’t  been  focused  on  anything  to  do 
with  security. 

What  most  companies  are  doing  is  taking 
their  best-case  experience  and  saying,  “We 
need  to  have  somebody  in  charge  of  secu¬ 
rity.”  Then  they  go  out  and  find  somebody 
who  is  a  former  bureau  agent  with  great 
physical  security  credentials  and  the  stuff 
that  they  can  relate  to,  and  because  he  took 
one  information  security  training  course, 
he’s  also  considered  an  information  security 
specialist.  So  they  hire  him,  and  they  task 
him  with  doing  all  the  security. 

I  don’t  see  the  people  who,  according  to 
George,  call  themselves  CSOs  but  should  be 
information  guys  only,  because  that’s  all 
they’re  actually  doing.  In  fact  I  see  just  the 
opposite  of  what  George  sees.  I  see  guys 
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being  hired  as  CSOs  who  are  only  doing 
physical  security,  because  of  their  back¬ 
ground,  but  are  also  in  charge  of  informa¬ 
tion  security. 

Campbell:  I  absolutely  agree  that  people  like 
myself  or  these  ex-bureau  agents— who 
don’t  come  from  a  background  of  informa¬ 
tion  protection  in  the  cyberage— have  no 
business  fancying  themselves  as  CISOs.  But 
there’s  nothing  wrong  with  them  leading 
that  effort  as  part  of  the  global  security 
strategy,  as  long  as  they’ve  got  the  Bill  Sper- 
nows  of  the  world  working  within  that  team, 
whether  directly  for  them  or  bridged  in 
some  sort  of  security  council. 

CSO:  So  George  sees  the  Cl  SO  role  as  tacti¬ 
cal  and  the  CSO  role  as  strategic.  It  also 
seems  like  he  sees  it,  in  some  cases,  as  hier¬ 
archical,  with  the  Cl  SO  under  the  CSO? 
Spernow:  I  don’t  think  so.  The  larger  the 
organization,  the  more  likely  the  security 
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effort  will  be  accomplished  if  the  CSO  and 
the  CISO  are  on  a  peer  level.  In  a  midsize 
company.  I’d  recommend  that  the  CISO  be 
independent  to  the  point  where  maybe  he 
reports  to  legal  as  opposed  to  IT  because 
most  of  the  IT  exposure  you’ll  see  from  the 
information  side  is  legal  liability.  And  if  you 
don’t  have  the  backing  of  legal  to  argue  your 
case  in  front  of  the  board,  then  you’re  proba¬ 
bly  not  going  to  accomplish  too  much. 
Campbell:  I’d  underscore  that.  My  com¬ 
plaint  with  having  the  CISO  as  part  of  the 
IT  department  is  you  get  the  fox  in  the  hen¬ 
house.  Where  do  you  have  an  honest  set  of 
controls  that  can  make  it  before  the  audit 
committee  in  its  own  right? 

Spernow:  I’ve  actually  fought  that  battle  [at 
the  Georgia  Student  Finance  Commission] 
and  won.  The  CIO  should  be  concerned 
with  how  to  maintain  the  infrastructure 
today  and  how  to  plan  for  its  future.  The 
CISO  should  be  looking  at  the  ramifications 
of  new  technologies  the  CIO  wants  to  adopt. 
[For  more  on  this,  see  “How  to  Rope  in 
Rowdy  Technologies”  at  www.csoonline 
xom/printlinks.'] 

Campbell:  Let  me  ask  you  this,  then.  To 
what  extent  does  a  CISO’s  background  and 
experience  as  an  information  security  pro¬ 
fessional  detract  from  his  ability  to  effec¬ 
tively  lead  and  strategize  for  the  other 
aspects  of  security  that  a  CSO  controls? 
Spernow:  They  become  technocentric.  I’ve 
seen  CISOs  try  to  integrate  authentication 
log-ins  with  physical  security  controls  like 
access  cards.  That’s  usually  where  they  stop 
because  it  ends  up  not  working.  At  first,  the 
locked  door  and  exposed  trash  bins  and  all 
the  other  physical  security  issues  associated 
with  controlling  building  entry  and  exit... 
CSO:  ...they  suddenly  become  technology 
problems. 

Spernow:  Yes,  but  CISOs  don’t  really  grasp 
the  real  physical  threat,  or  the  human 
threat.  I  agree  that  having  CISOs  take  on 
CSO  responsibilities  is  usually  a  disaster. 
Once  they’ve  been  exposed  to  it  and  inte¬ 
grate  it  into  their  mind-set,  they  can  be 
effective.  But  it’s  an  uphill  battle  to  make 
them  change  their  mind-set. 

Campbell:  I’m  reminded  of  a  conversation  I 
had  with  a  CISO.  I  basically  challenged  him 
to  tell  me  how  the  greater  security  organiza¬ 


tion  could  be  engaged  in  the  information 
security  program.  After  a  couple  of  minutes 
of  pondering,  he  said,  “Well,  I  suppose  they 
could  collect  the  trash.” 

CSO:  There  does  seem  to  be  an  institutional 
arrogance  on  the  IT  side.  I  don’t  mean  it  to 
be  a  reflection  of  personal  character.  Just, 
you  know,  that  everything  is  a  problem  that 
technology  can  solve. 

Spernow:  For  those  organizations  that  have 
the  budget.  I’ll  agree  with  you  that  the  tech¬ 
nology  becomes  a  solution,  regardless  of 
whether  it’s  actually  applicable,  because  it’s 
familiar.  If  I  ask  an  auditor  to  do  an  audit, 
he’s  not  going  to  look  at  AI  approaches  to 
technology.  He’s  going  to  say,  “Give  me  the 
books  and  let  me  look  at  the  columns.”  Our 
history  condemns  us  to  certain  limitations. 

It  reminds  me  of  an  article  about  a  city  in 
the  Midwest  that  was  e.xperiencing  prob¬ 
lems  with  vehicles  hitting  pedestrians  in  the 
downtown  area,  and  I  remember  reading  an 
editorial  suggesting  that  to  fix  this,  cars 
should  be  designed  so  that  when  a  car  is  get¬ 
ting  ready  to  turn,  it  will  beep  and  the  ped¬ 
estrian  will  know  that  the  car  is  coming. 
Nobody  suggested  we  train  pedestrians  to 
look  out  for  cars.  We  need  to  think  from 
that  other  perspective.  Having  that  ability— 
to  essentially  come  into  an  organization  and 
get  it  to  think  another  way— I  mean,  that’s 
the  challenge  that  we  all  face.  The  biggest 
challenge  I’ve  had  here  is  getting  my 
employees  to  think  like  crooks,  instead  of 
like  IT  guys  trying  to  stop  crooks.  If  they 
can’t  think  like  crooks,  they’re  never  going 
to  see  the  things  that  I  need  to  know  about. 
Campbell:  The  bias  is  clear  every  year  when 
we  make  the  annual  trek  to  the  ASIS  exhibit 
hall  to  find  out  what  the  technocrats  have 
created  for  us.  It’s  easy  to  see  this  is  technol¬ 
ogy  in  search  of  an  application,  but  as  CSOs, 
we  also  have  a  responsibility.  Are  we  truly 
engaged  with  the  technology’  community  in 
articulating  what  our  needs  are?  I  think  the 
answer  to  that,  quite  frankly,  is  no.  For 
example,  issues  around  trade  secrets  are  soft 
and  don’t  necessarily  have  technology'  to 
address  them.  I’ve  been  looking  for  years  for 
a  technology  like  the  smokeless,  dust-free 
paper  shredder,  to  make  it  easy  and  effective 
to  destroy  sensitive  information.  Because  if 
[an  executive  has]  to  get  up  and  walk  down 
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the  hall  to  shred  a  document— these  guys 
who  are  too  damn  important  to  think  about 
things  like  that— they  leave  it  for  others  to 
deal  wath,  which  is  a  security  issue. 

So  I  think  technology  is  doing  a  hell  of  a 
job  around  what  it  has  been  built  to  do,  but 
there’s  still  an  awful  lot  on  the  operational 
side  of  information  protection  where  it 
hasn’t  been  applied.  Until  now,  we’ve  let 
the  CISOs  have  much  more  say  in  what  the 
technocrats  bring  to  market. 

Spernow:  You’re  inferring  that  we  don’t  look 
at  other  solutions,  and  we’re  going  to  miss 
the  big  one  that  is  actually  going  to  work 
and  that,  instead,  we’re  going  to  spend  a  lot 
of  time  looking  at  small  ones  that  don’t 
work.  In  a  lot  of  cases,  that  is  where  we’re  at 
now.  A  lot  of  the  controls  we  have  here  look 
good,  sound  good  and  they’re  portable,  but 
they  don’t  work.  Because  we  don’t  take  the 
user  into  account  or  the  actual  individual 
who  is  part  of  the  threat. 

CSO:  Let’s  get  back  to  the  CSO  versus  the 
CISO.  Has  there  been  a  tacit  promotion  of 
CISOs  in  some  organizations  to  take  on 
some  of  the  broader  CSO  roles,  whether  or 
not  the  anointed  individuals  are  prepared? 
Spernow:  I’ll  be  honest  with  you,  when  I  was 
involved  in  the  analyst  community,  we  were 
all  writing  papers  that  said,  “You  need  to 
have  a  CISO  as  part  of  your  staff  because 
you  need  somebody  to  champion  the  budget 
for  info  security  that  we  see  coming  down 
the  pike.  And  if  that  budget  is  left  to  IT,  it 
won’t  be  spent  well.”  So  in  some  cases  we’ve 
created  this  quagmire  of  putting  a  person  in 
the  position  [whose  credentials  weren’t] 
truly  analyzed  in  depth.  But  it  made  sense  at 
the  time. 

Campbell:  Wliere  does  the  audit  program  fit 
into  this  equation.  Bill?  Are  the  [auditors] 
doing  their  job  to  point  out  to  committees 
and  senior  management  what  the  risks  are 
to  their  information  assets? 

Spernow:  I  think  they  try,  but  because  the 
risks  aren’t  actually  threats  at  the  doorstep, 
they  fail. 

Campbell:  It  gets  back  to  the  notion  of  a  true 
partnership  [between  CSO  and  CISO].  You 
need  a  fundamental  relationship,  based  on 
tbe  risk  assessment  and  the  relative  roles 
and  responsibilities  that  are  going  to  be  per¬ 
formed  by  the  two  organizations.  The  goal 
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has  to  be  to  provide  a  total  umbrella  of  pro¬ 
tection  to  the  enterprise.  Otherwise,  there 
are  corporations  where  the  [two  parties] 
will  never  talk.  And  I  bet  Bill  has  seen  more 
cases  where  CISO  and  CSO  didn’t  talk  than 
those  where  they  truly  had  a  partnership... 
Spernow:  ...because  they  build  their  moats, 
and  it  ends  up  being  ego  issues. 

Campbell:  Well,  you  know,  we’re  the 
knuckle-draggers. 

Spernow:  Right. 

CSO:  George  has  said  more  than  once  that 
CISOs  think  CSOs  are  just  cops,  that  they 
lock  gates  and  so  forth.  Talk  about  those 
biases  and  how  you  get  past  them. 

Spernow:  From  a  CISO  perspective,  we  see 
CSOs— without  the  info  security  role— as 
those  whose  methodologies  are  proven  from 
a  tactical  perspective.  That  allows  them  to 
be  totally  strategic  [in  their  focus].  In  com¬ 
parison,  CISOs  are  always  dealing  with  new 
developments.  So  we  have  to  bounce 
between  tactical  and  strategic  [orienta¬ 
tions].  For  example.  I’m  struggling  with 
intrusion  detection  and  prevention,  tiying 
to  deal  with  behavior  patterns  of  traffic  for 
which  there  are  no  set  methodologies  of 
counteraction.  I’m  tiying  to  be  strategic,  but 
I  have  to  figure  out  how  this  will  just  work. 
I’d  like  to  be  in  the  CSO’s  position  where  he 
has  that  luxury,  of  being  strategic  all  the 
time.  CISOs  don’t  have  that  luxury. 
Campbell:  The  premise  here  is  that  Bill’s 
removing  the  info  security  function  from 
the  CSO... 

Spernow:  ...for  the  purpose  of  the  argument. 
Campbell:  Understood,  understood.  But  if 
you  do  that  in  the  real  world,  the  person 
we’re  talking  about  isn’t  really  a  CSO  any¬ 
more.  The  notion  of  a  CSO  must  extend  to 
all  aspects  of  protecting  assets,  including 
information  assets.  The  perception  that  we 
have  the  luxury  of  being  more  strategic- 
urn,  I’ll  go  along  with  it  to  a  point.  Except 
that  I  think  our  whole  landscape  is  a  learn¬ 
ing  process  too.  If  anything,  CISOs  are  deal¬ 
ing  with  more  absolutes,  the  laws  of  physics, 
with  machines.  I’m  dealing  -with  behavior 
and  the  incredible  number  of  variables  in 
behavior.  So  it’s  not  technically  complex,  but 
it’s  certainly  not  easy.  And  that’s  where  I  see 
the  intellectual  arrogance  of  Bill’s  col¬ 
leagues.  We’re  rejected  out  of  hand  as  being 


too  ignorant  to  appreciate  their  challenges. 
What  about  our  challenges?  I  bristle  at  that. 
Spernow:  George  is  correct  in  that  the  CSO 
cannot  appreciate  the  technical  challenges  I 
have  because,  in  a  lot  of  cases,  I  don’t  under¬ 
stand  the  challenges  myself.  And  if  I  don’t. 
I’m  damn  sure  a  CSO  won’t. 

CSO:  But  can’t  the  two  learn  from  each 
other?  Aren’t  there  established  CSO 
methodologies  that  just  might  apply  to 
CISOs,  if  only  they  had  a  conversation 
about  what,  on  a  broad  level,  they  were 
both  trying  to  accomplish? 

Spernow:  There  are  some  parallels,  but  the 
implications  if  something  goes  wrong  are 
much  more  serious  at  my  level  than  at 
George’s. 

CSO:  Is  that  true?  Is  that  fair,  George? 
Campbell:  Well,  I  think  it  might  be  more 
apparent  if  something  goes  wrong  in  Bill’s 
world.  Either  the  problem  is  or  it  isn’t  there, 
empirically.  I’m  trying  to  safeguard  without 
the  same  set  of  absolute  measures  that  a 
technocrat  has. 

Spernow:  I  don’t  think  I  agree  with  this 
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whole  “laws  of  physics”  assertion.  Conceptu¬ 
ally  it  might  be  valid,  but  in  reality  we’re 
experimenting  every  day  in  how  we  do  this. 
We’re  not  dealing  with  set  laws. 

Campbell:  The  sad  thing  is  the  need  to  even 
have  a  debate  like  this.  When  you  peel  it 
back,  we’re  all  in  the  same  business.  The  fact 
that  there’s  a  vocabulary,  tools,  principles 
applied  by  CISOs  that  are  arcane  or  hard  for 
a  layman  like  me  to  understand  doesn’t  one 
bit  change  the  fact  that  we’re  all  here  to  pro¬ 
vide  integrated  controls.  Integrated.  Under¬ 
score  that.  I  have  to  think  about  being 
prepared  to  work  with  information  security 
executives;  and  when  it  hits  the  fan,  they 
have  to  be  prepared  to  help  me. 

You  know,  it’s  all  about  vocabulary. 

CISOs  will  say,  “You  guys  just  aren’t  going  to 
understand  what  I’m  trying  to  deal  with 


here.  It  requires  knowledge  that  you  guys 
don’t  have.”  Acknowledged,  right,  under¬ 
stood.  But  suppose  I  ask,  “What’s  the  pur¬ 
pose  of  the  technology,  this  lexicon  that  I 
don’t  understand?  What  are  you  trying  to 
do?”  And  the  CISO  says,  “Well,  I’m  trying  to 
protect  against  intrusion.”  Ah!  That  I  can 
understand. 

Spernow:  On  the  other  hand,  we’re  consid¬ 
ered  a  bunch  of  propeller  heads... 

Campbell:  ...pointy-headed  propeller  heads. 
[Laughter.] 

Spernow:  We’re  looked  at  as  techies  who 
somehow  managed  to  wriggle  into  manage¬ 
ment.  [People  like  George]  view  us  as  being 
here  because  of  a  special  skill  set  and  not 
necessarily  because  we  can  do  the  job. 
Campbell:  I  think  CISOs  start  with  the 
assumption  that  those  guys  on  the  other 


security  side,  that  CSO  team,  just  aren’t 
going  to  understand  what  my  problems  are. 
They  don’t  understand  what  I’m  up  against, 
they  don’t  understand  the  technology,  so 
what’s  the  sense  in  even  talking  to  them. 
Spernow:  But  how  do  you  get  around  that? 
It’s  tough,  because  you’ve  got  to  essentially 
convert  people  to  your  way  of  thinking  with¬ 
out  offending  them,  and  make  them  under¬ 
stand  what  you’re  trying  to  do  and  why 
you’re  doing  it.  I  mean,  that’s  probably  the 
toughest  job  that  I  have  on  a  daily  basis. 
Campbell:  But  what  happens  when  it  hits 
the  fan?  We  need  a  set  of  protocols  between 
the  two  organizations  so  that,  when  there’s 
an  intrusion,  someone  separate  from  the  IT 
side  is  making  sure  that  evidence  is  pre¬ 
served,  that  logs  are  preserved.  It’s  like 
arson:  IT  wants  to  put  the  fire  out.  I’m  look¬ 
ing  for  evidence  after  the  fire  is  out. 
Spernow:  But  if  you  try  to  do  it  during  the 
incident,  you’re  shooting  yourself  in  the 
foot— benefitting  the  bad  guys  more  than 
the  good  guys.  My  point  is  the  opposite  of 
George’s.  The  CISO  needs  to  be  put  in  place 
to  be  entirely  in  charge  of  an  incident.  I 
don’t  suggest  to  the  people  I  talk  to  that  the 
CSO  be  part  of  an  investigation.  [At  least 
not]  until  it  gets  to  the  point  where  we’re 
talking  to  employees  or  to  people  outside 
the  company,  where  CSOs  normally  have 
the  contacts  to  make  it  happen.  When  it’s 
internal  to  the  network,  then  the  CISO 
should  be  in  charge. 

Campbell:  Getting  back  to  the  model  Bill 
has  adopted— an  acknowledgement  that 
the  CISO  function  needs  to  be  outside  of 
IT  department,  correct  Bill? 

Spernow:  Always,  always.  It’s  the  biggest 
battle  I’ve  had  here.  If  I  see  an  organization 
where  the  CISO  reports  to  some  IT  compo¬ 
nent,  I  see  a  position  that’s  not  working, 
guaranteed.  The  conflict  of  interest  is  just 
too  much  to  overcome.  Having  the  CISO 
report  to  IT,  it’s  a  death  blow.  B 
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IN  THIS  STORY: 

Reasons  for  moni 
toring  employees' 
e-mail  and  Web 
activities  ■  How 
to  do  it  without  a 
backlash 
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mistyped  a  URL 

|Or  clicked  on  an  innocent-looking  link  only  to  end  up  in  one  of  those 
^le  little  pornographic  cul-de-sacs  that  seem  to  lurk  on  the  periphery 
of  many  popular  Internet  sites?  While  Whitehouse.gov  brings  you  to 
the  presidents  squeaky-clean  official  website  and  updates  on  bill  sign¬ 
ings  and  the  war  on  terrorism,  the  URL  Whitehouse.com  leads  you  to 
a  smutty  XXX  site  that  capitalizes  on  its  famous  name  with  pictures 
of  “Hot  Interns!” 

Whenever  I  accidentally  hit  one  of  these  sites— which  usually  results 
in  dislocating  some  body  part  as  I  reflexively  lurch  to  click  the  window 
shut— I  wonder  whether  I’ll  be  explaining  it  to  my  manager  at  my 
next  performance  review. 

This  is  the  same  employee  fear  that  CSOs  are  up  against  when 


Who  hasn’t 
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they  implement  an  employee  monitoring  policy  (often  tagged  with  the 
kinder,  gentler  moniker  of  “acceptable  use  policy”).  Workers  fret 
that  their  private  communications  will  be  laid  bare  to  any  network 
administrator,  that  infractions  of  the  policy— even  accidental  ones— 
wall  be  a  cause  for  disciplinary  action  and  that  the  corporate  culture 
could  take  a  distinctly  Orwellian  turn. 

Concerns  about  surveillance  are  also  shared  by  many  CSOs  who 
would  prefer  to  leave  e-mail  and  Internet  baby-sitting  to  direct  man¬ 
agers.  But  the  question  of  whether  to  monitor  what  employees  do  on 
company  time  with  corporate  resources  has  been  largely  decided  by 
legal  precedents  that  are  already  holding  businesses  financially 
responsible  for  their  employee’s  actions.  Increasingly,  employee 
monitoring  is  not  a  choice;  it’s  a  risk-management  obligation. 

A  2001  survey  of  workplace  monitoring  and  surveillance  practices 
by  the  American  Management  Association  (AMA)  and  The  ePolicy 
Institute  showed  the  degree  to  which  companies  are  turning  to  mon¬ 
itoring.  Eighty-two  percent  of  the  study’s  1,627  respondents  acknowl¬ 
edged  conducting  some  form  of  electronic  monitoring  or  physical 
surveillance.  Of  those,  63  percent  of  the  companies  stated  that  they 
monitor  Internet  connections,  and  about  47  percent  acknowledged 
storing  and  reviewing  e-mail  messages.  A  follow-up  questionnaire  to 
the  AMA’s  survey  also  probed  the  companies’  rationales  for  moni¬ 
toring.  The  highest-rated  concern  in  this  follow-up  was  legal  liabil¬ 
ity  (68  percent),  followed  by  general  security  concerns  (60  percent). 
Measuring  employee  productivity  and  generating  fodder  for  per¬ 


formance  reviews— the  motives  that  employees  usually  ascribe  to 
so-called  corporate  snooping— were  significantly  lower  on  the  list. 

The  main  reason  for  the  disconnect  between  the  corporate  motives 
for  monitoring  and  employees’  interpretations  of  them  is  that  com¬ 
munication  around  the  issue  is  so  poor.  One  in  five  companies, 
according  to  the  same  survey,  still  doesn’t  have  an  acceptable  use  pol¬ 
icy  for  e-mail,  and  one  in  four  has  no  policy  for  Internet  use.  Com¬ 
panies  that  do  have  policies  usually  tuck  them  into  the  rarely  probed 
recesses  of  the  employee  handbook,  and  even  then  the  policies  tend 
to  be  of  the  vague  and  lawyerly  variety:  “XYZ  company  reserves  the 
right  to  monitor  or  review  any  information  stored  or  transmitted  on 
its  equipment.”  Reserving  the  right  to  monitor  is  materially  different 
from  clearly  stating  that  the  company  does  monitor,  listing  what  is 
tracked,  describing  what  it  looks  for  and  detailing  the  consequences 
for  violations.  No  wonder  employees  are  anxious. 

Open  communication  is  the  key  to  formulating  the  right  policy  and 
putting  it  into  practice.  CSOs  that  are  explicit  about  what  the  com¬ 
pany  does  in  the  way  of  monitoring  and  the  reasons  for  it,  and  who 
actively  educate  employees  about  what  unacceptable  behavior  looks 
like,  will  find  that  employees  not  only  acclimate  quite  quickly  to  a  pol¬ 
icy  but  that  they  also  reduce  the  CSO’s  burden  by  policing  themselves. 
Here  are  some  of  the  best  practices  that  companies  have  shared  with 
us  for  formulating  and  rolling  out  monitoring  policies  and  the  advice 
that  CSOs  have  offered  for  determining  how  much  monitoring  is 
appropriate  for  your  company. 


Monitoring  by  Law 

ELECTRONIC  COMMUNICATIONS  PRIVACY  ACT  Prohibits  the  intentional  inter¬ 
ception  of  electronic  communications.  However,  there  are  a  number  of  exceptions 
that  permit  monitoring  to  occur.  An  organization  may  intercept  communications 
when  there  is  implied  consent  by  the  user.  A  company  is  also  permitted  to  monitor 
its  networks  for  business  reasons  and  is  authorized  to  monitor  its  employees  if  the 
company  believes  their  activities  are  putting  it  at  risk  (for  example,  computer 
crime,  system  failure  and  unauthorized  personal  use). 

NATIONAL  LABOR  RELATIONS  ACT  (NLRA)  May  pi  ace  some  restrictions  on 
monitoring  union  employees.  Because  the  National  Labor  Relations  Board  has 
classified  a  company’s  computer  network  as  a  “work  area,”  any  laws  prohibiting 
nonbusiness  use  of  e-mail  could  be  considered  unlawful  under  the  NLRA. 
Organizations  could  also  be  in  violation  of  the  NLRA  if  their  monitoring  selectively 
punishes  labor-organizing  activities. 

THE  USA  PATRIOT  ACT  Grants  the  executive  branch  expanded  surveillance 
powers,  including  the  ability  to  track  e-mail  and  Internet  usage,  conduct  sneak- 
and-peek  searches,  obtain  sensitive  personal  records,  monitor  financial  transac¬ 
tions,  and  conduct  nationwide  roving  wiretaps. 

For  information  on  monitoring  laws  in  your  state,  visit  the  Electronic  Privacy 
Information  Center  at  www.epic.org/privacy/consumer/states.html. 


WHAT  YOU  CAN  MONITOR: 

Can  I  see  your  hall  pass? 

Different  industries  have  different  pressure  points 
that  necessitate  tracking  and  storing  e-mail.  The 
Securities  and  Exchange  Commission  mandates 
that  all  incoming  and  outgoing  correspondence 
(including  e-mail)  for  brokerage  firms  must  be 
reviewed  by  a  compliance  officer,  and  e-mail  mes¬ 
sages  must  be  stored  on  a  diskette  that  can’t  be 
deleted  or  overwritten;  and  it  must  be  preserved 
for  no  less  than  three  years  to  ensure  that  companies 
haven’t  made  claims  that  are  beyond  the  scope  of 
realistic  investing.  Some  industries  also  have  limi¬ 
tations  on  how  tracking  is  done.  The  privacy  pro¬ 
tections  provided  by  HIPAA,  the  Health  Insurance 
Portability  and  Accountability  Act  of  1996,  place  a 
responsibility  on  companies  to  account  for  how 
health-related  information  is  protected  and  trans¬ 
mitted.  Collective  bargaining  agreements  with  labor 
unions  curb  monitoring  of  their  members,  and 
Eourth  Amendment  protections  also  restrict  mon¬ 
itoring  by  government  employers.  In  addition,  laws 
restrict  what  kind  of  physical  monitoring  can  be 
done  in  the  workplace.  For  e.xample,  the  law  limits 
monitoring  in  areas  where  employees  have  a  legit¬ 
imate  or  reasonable  expectation  of  privacy— for 


Regence  Group  CISC  David  MacLeod  gets  his  message  out 
to  his  employees  about  monitoring.  “We  characterize  it  as 
something  that’s  for  their  own  protection,”  he  says. 
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example,  putting  a  closed-circuit  camera  in  a  bathroom  or  entering 
a  locker  for  which  a  lock  has  been  provided.  Laws  governing  the 
recording  of  sound  are  also  limited— physical  surveillance  systems  are 
not  permitted  to  record  sound,  and  federal  law  dictates  that  phone 
conversations  cannot  be  recorded  unless  an  employee  consents. 
Many  states  require  the  consent  of  all  parties  before  a  phone  con¬ 
versation  can  be  monitored. 

While  there  are  laws  limiting  specific  kinds  of  surveillance,  in 
general,  private  employers  largely  have  free  reign  to  monitor  and  scan 
electronic  communications.  (See  “Monitoring  by  Law,”  Page  36.) 
Deborah  Weinstein,  a  labor  and  emplo5nnent  law  attorney  at  the 
Eckert,  Seamans,  Cherin  &  Mellott  firm  in  Philadelphia,  notes 
another  caveat:  Employers  may  not  monitor  or  intercept  e-mail 
while  it  is  in  transit.  Once  it  has  been  stored,  it  may  be  scanned  as  part 
of  a  regular  business  activity.  It  is  also  critical  that  any  scanning  or 
tracking  be  applied  to  every  employee  equally.  Companies  that  do 
monitor  can  get  into  real  trouble  here.  For  example,  a  company  may 
have  a  policy  that  mandates  scanning  every  e-mail  for  product  names 
to  deter  intellectual  property  theft.  If  a  potential  case  of  theft  is 
uncovered,  it  will  be  important  that  the  company  show  evidence 
was  discovered  in  the  course  of  a  standard  business  practice  of  scan¬ 
ning  e-mails.  Otherwise,  the  employee  might  argue  that  his  com¬ 
munications  were  scanned  in  a  discriminatory  manner.  “You  can’t 
routinely  watch  the  activities  of  younger  people  more  than  older 


people  or  do  surveilling  by  race,”  Weinstein  says. 

At  First  Data,  Western  Union’s  parent  company. 
Senior  Vice  President  for  Corporate  Security  Bob 
Degen  applies  his  Web  monitoring  and  blocking  pol¬ 
icy  equally— regardless  of  gender,  age,  race  and  even 
corporate  seniority.  “We’re  serious  about  this,”  he  says. 
“In  the  past  two  years,  we’ve  had  occasion  to  discipline 
two  very  senior  executives.”  The  company  has  a  two- 
strike  policy.  If  an  employee  habitually  tries  to  access 
forbidden  sites  with  inappropriate  content,  HR  calls 
him  in  and  gives  him  a  formal  written  warning.  “That’s 
their  first  and  final  warning,”  says  Degen,  who  notes 
that  the  second  offense  could  include  termination. 

To  avoid  discrimination  claims  and  preserve  the 
chain  of  evidence,  it’s  wise  to  have  only  a  few  specially 
trained  and  exceptionally  discreet  employees  charged 
with  reading  suspicious  e-mails.  Although  employees 
that  carry  out  monitoring  won’t  be  personally  sued  for 
an  activity  that  falls  within  the  scope  of  their  job,  CSOs 
need  to  be  aware  that  often  members  of  the  IT  group 
are  uncomfortable  identilying  questionable  employee 
conduct  on  the  network  and  may  worry  about  being 
named  in  any  lawsuits  that  result.  At  First  Data,  the  IT 
group  was  so  uneasy  making  such  judgments  that 
Degen  took  the  responsibility  out  of  their  hands. 

“Reports  are  automatically  generated  and  given  to  secu¬ 
rity  and  HR,  and  then  we  determine  whether  [a  situation]  needs  to 
be  looked  into,”  he  says. 

Although  few  states  are  currently  providing  protections  beyond 
those  that  federal  law  affords  to  employees,  CSOs  should  consult  a 
cyberlaw  expert  to  see  if  there  are  any  state  laws  that  would  affect 
their  monitoring  plans.  For  example,  certain  states  have  enacted 
strict  antispam  legislation,  and  companies  could  get  in  legal  trouble 
if  an  employee  used  the  corporate  network  to  disseminate  spam. 
Any  company  that  has  international  locations  will  most  certainly 
want  to  have  a  detailed  analysis  done  of  the  monitoring  laws  for 
each  country  it  operates  in.  In  Europe  in  particular,  privacy  is  Hewed 
as  a  fundamental  human  right,  and  electronic  monitoring  by  and 
large  is  generally  verboten  under  European  Union  laws.  That  pres¬ 
ents  a  challenge  for  many  global  companies  that  frequently  have 
just  one  e-mail  server.  Those  companies  have  to  find  a  way  to  segre¬ 
gate  European  and  U.S.  e-mail  to  avoid  violating  European  law. 


WHO 


YOU  CAN  MONITOR:  You  lookin’  at  me? 

The  fastest  way  to  elicit  resistance  from  employees  is  if  you  appear 
to  be  on  an  unfocused  fishing  expedition  for  information.  First,  CSOs 
need  to  analyze  their  motives  for  doing  it.  “You  need  a  legitimate  rea¬ 
son  to  monitor  employees  in  the  workplace,”  says  Weinstein.  “And 
employers  have  to  identify  those  reasons.  It  can’t  just  be  because 
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they  don’t  trust  [employees].  Maybe  they  want  to  pro¬ 
tect  trade  secrets,  maintain  secure  systems  or  preserve 
personal  productivity.” 

A  company  might  decide  to  monitor  employees  who 
are  “misusing”  their  e-mail  or  Internet  access  to  create 
a  hostile  work  environment— which  can  be  a  danger¬ 
ously  subjective  concept.  In  1995,  Chevron  settled  a 
well-publicized  sexual  harassment  suit  brought  by  four 
female  employees  who  alleged  that  their  coworkers 
created  a  hostile  work  environment  by  circulating 
offensive  e-mails  and  Internet  images.  One  of  the  items 
that  was  introduced  into  evidence  was  an  e-mail  titled 
“25  Reasons  Beer  Is  Better  than  Women.”  Chevron 
paid  out  $2.2  million  to  make  the  suit  go  away. 

For  every  half-written  document,  hastily  tapped 
instant  message  and  ill-conceived  e-mail,  there’s  a  sub¬ 
poena  to  ensnare.  Witness  the  public  spanking  of  Mer¬ 
rill  Lynch’s  stock  price  after  authorities  recovered 
e-mails  that  showed  stock  analysts  privately  trashing 
companies  that  they  had  publicly  touted.  In  fact,  the 
largest  legal  settlement  ever  involving  a  drug  company 
owes  a  debt  of  gratitude  to  the  evidence  provided  by 
internal  e-mails.  During  litigation  over  diet  pills  man¬ 
ufactured  by  American  Home  Products,  e-mails  came 
out  that  showed  the  company  was  not  only  aware  but 
dismissive  of  the  drug’s  potentially  fatal  side  effects.  In 
one  particular  e-mail  an  employee  scoffed  at  the  notion 
of  having  to  pay  off  “fat  people  who  are  afraid  of  some 
silly  lung  problem.”  The  company  settled  the  case  in  a 
settlement  valued  at  up  to  $3.8  billion. 

Open  acknowledgement  that  a  company  monitors,  reinforced  by 
decisive  action  when  infractions  are  discovered,  wall  drive  home  to 
employees  the  understanding  that  e-mail  is  not  a  private  form  of  com¬ 
munication.  They,  in  turn,  wall  likely  police  their  own  e-mail  content. 

The  liabilities  that  employees  can  create  wath  the  use  of  computer 
systems  are  almost  limitless.  Imagine  the  damage  (and  damages 
awarded)  if  an  employee  uses  the  company’s  network  infrastructure 
to  launch  an  Internet-based  attack,  or  if  an  embittered  employee 
decides  to  post  fabricated  information  about  his  publicly  traded 
employer  onto  a  chat  room  bulletin  board. 

However,  companies  that  have  acted  in  good  faith  to  enact  a  mon¬ 
itoring  policy  and  educate  employees  about  abiding  by  those  require¬ 
ments  will  be  in  a  significantly  stronger  legal  position.  “The  courts 
look  favorably  on  employers  with  a  written  policy  consistently 
enforced  and  backed  up  by  education,”  says  Nancy  Flynn,  executive 
director  of  The  ePolicy  Institute  and  coauthor  of  E-Mail  Rules:  A 
Business  Guide  to  Managing  Policies,  Security,  and  Legal  Issues  for 
E-Mail  and  Digital  Communication  (Amacom,  April  2003).  “Those 
employers  are  seen  to  have  done  everything  possible  to  maintain  a 
safe,  secure  and  appropriate  w'ork  environment.” 

Outside  of  the  daunting  prospect  of  courtroom  appearances,  there 
are  some  practical  human  resources  arguments  to  be  made  for  mon¬ 
itoring.  Usually,  employees  have  only  to  hear  that  e-mail  and  Inter- 


Whose  Lav\ds  It, 
Anyway? 

The  first  step  to  crafting  an  employee  monitoring  policy  is  taking  a 
baseline  assessment  of  exactly  the  kinds  of  behavior  that  are 
going  on  within  the  confines  of  the  corporate  network.  The  survey 
should  reveal  the  problem  areas  to  be  addressed  and  should  provide 
excellent  ammunition  for  convincing  everyone  of  the  need  for  monitor¬ 
ing.  "It  allows  you  to  say,  Here’s  what’s  going  on  in  the  absence  of  any 
policy;  People  are  averaging  3.5  hours  a  day  day-trading,"  says  Freder¬ 
ick  Lane,  author  of  The  Naked  Employee:  How  Technology  Is  Compro¬ 
mising  Workplace  Privacy  (Amacom,  2003).  “Now  that  you’ve 
established  the  state  of  the  business,  you  can  go  back  to  people  and  say, 
Here’s  our  problem,  and  here’s  our  fix.  You  can  present  the  policy  as  a 
reasonable  compromise." 

The  fundamental  building  blocks  of  a  complete  policy  should  include 
the  following: 

■  Notify  employees  you  will  monitor  their  use  of  proprietary  assets. 

■  Discourage  the  expectation  of  privacy  on  the  corporate  network. 

■  Detail  inappropriate  uses  of  the  company’s  systems. 

■  Describe  allowable  uses  of  those  systems. 

■  Educate  employees  about  handling  proprietary  information. 

■  Establish  parameters  of  disciplinary  action. 

■  Provide  an  employee-signed  copy  of  the  policy  to  acknowledge 
their  understanding  and  acceptance  of  its  tenets. 

The  first  two  elements  communicate  to  employees  the  kinds  of  moni¬ 
toring  that  are  going  on  and  how  they  will  be  done.  “Companies  need  to 
create  a  policy  that  explains  in  clear  language  what  type  of  surveillance 


net  use  will  be  tracked,  and  90  percent  of  the  problem  behaviors— 
from  raunchy  jokes  to  excessive  Internet  surfing— will  cease.  Com¬ 
panies  that  don’t  nip  their  employees  naughty  habits  in  the  bud  risk 
the  creation  of  a  much  larger  HR  problem.  When  employees  were 
caught  either  sending  or  receiving  dirty  jokes  and  images  at  a  New 
York  Times  Co.  facility,  the  company  ended  up  firing  10  percent  of 
its  workforce  at  that  location. 

Monitoring  also  becomes  far  more  palatable  to  employees  when 
you  make  it  clear  that  it  provides  a  measure  of  protection  for  them 
against  all  the  previously  mentioned  problems.  At  The  Regence 
Group,  an  affiliate  of  Blue  Cross  and  Blue  Shield,  CISO  David 
MacLeod  makes  just  such  an  argument  to  his  employees.  Through 
newsletter  articles,  posters  and  technology  fair  booths,  MacLeod 
gets  his  message  out  about  monitoring.  “We  characterize  it  as  some¬ 
thing  that’s  for  their  own  proteetion,”  he  says.  “If  somebody  claims 
an  employee  did  something,  we  have  good  audit  trails  to  show  if 
they  did  or  didn’t.” 

HOW  YOU  CAN  MONITOR:  Got  enforcement? 

Clearly  defining  the  company’s  expectations  and  notifying  employees 
of  how  and  when  monitoring  will  take  place  are  important  steps  on 
paper  but  even  more  critical  in  practice.  Flynn  recommends  that  com¬ 
panies  take  what  she  refers  to  as  the  “three-E  approach.”  Establish 
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is  taking  place  and  distribute  it  so  that  employees  know  what  they’re 
getting  into,”  says  Lane.  Such  information  can  save  the  company  legal 
headaches  down  the  road.  "A  lot  of  litigation  arises  out  of  the  shock  of 
employees  discovering  that  they  are  under  surveillance”  rather  than  the 
actual  surveillance  itself,  Lane  says. 

The  policy  should  clearly  define  the  nature  of  appropriate  (and  inap¬ 
propriate)  use  of  computer  systems.  One  of  the  murkiest  problems  that 
CSOs  encounter  is  the  general  time  drainage  that  occurs  when  every 
employee  has  e-mail  and  Internet  access.  For  some  companies,  the 
answer  is  to  prohibit  any  personal  use  of  e-mail  or  Internet,  but  the  vast 
majority  of  companies  are  acknowledging  that  as  employee  workdays 
grow  longer,  some  incidental  use  of  e-mail  and  the  Internet  is  neces¬ 
sary.  The  key:  Be  explicit  about  what  the  company  considers  reason¬ 
able— is  it  use  only  during  lunch  or  for  making  doctor's  appointments? 

At  National  Cooperative  Bank,  Managing  Director  of  IT  Russell 
Schofield  uses  a  product  from  SurfControl  to  track  where  his  employees 
are  going  on  the  Internet.  The  product  blocks  all  the  usual  socially  taboo 
sites  and  also  monitors  time  spent  online.  Every  month  he  pulls  a  report 
of  the  company's  top  30  users,  and  if  certain  employees  seem  to  be 
spending  inordinately  long  periods  surfing,  he  forwards  the  information 
to  their  supervisor.  “Most  individuals  that  show  up  on  that  report  never 
show  up  again,  and  those  that  do  don’t  show  up  for  very  long,”  he  says. 
He  has  watched  the  time  spent  online  for  top  users  go  from  as  much  as 
16  hours  a  week  to  a  current  average  of  about  five  hours,  which  he  says 
are  probably  just  during  lunch. 
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your  policy;  educate  the  workforce;  and  enforce  your  policy  consis¬ 
tently.  That  could  mean  pairing  content-scanning  technology  with  a 
written  policy  and  then  reinforcing  it  with  a  strong  education  pro¬ 
gram  that  cements  the  issue  in  the  employee’s  mind. 

Many  companies— even  those  with  exceptionally  detailed  poli¬ 
cies— don’t  actively  educate  employees  about  what  acceptable  use 
means  in  day-to-day  office  life.  During  orientation,  the  HR  rep  might 
hand  a  new  employee  the  acceptable-use  policy  form,  and  in  the 
blizzard  of  information,  it  fails  to  stick.  At  The  Regence  Group,  visual 
reinforcements  like  posters  and  newsletters  remind  employees  about 
policies.  And  MacLeod  requires  every  employee  go  through  a  secu¬ 
rity  awareness  program  that  is  separate  from  the  orientation  process. 
He  also  ensures  that  his  group’s  new  slogan— “Security  is  everyone’s 
job”— is  widely  circulated  and  highly  visible  throughout  the  company. 
The  company  has  an  oversight  committee  composed  of  all  the  sen¬ 
ior  executives,  and  when  it  decides  on  a  security  initiative,  MacLeod 
has  the  executives  bring  that  decision  to  their  organization.  “That  way 
when  somebody  goes  to  [an  executive]  complaining  that  security 
thinks  we  should  do  this  or  that,  the  executive  can  say.  Yes,  I  partic¬ 
ipated  in  that  decision,  and  here’s  why  we’re  doing  it,”  says  MacLeod. 
“We  don’t  have  to  be  the  only  evangelists.” 

Part  of  the  education  process  is  ensuring  that  employees  know  bad 
things  can  happen  when  they  ignore  the  policy— and  not  just  to 
them  personally.  E-disaster  stories  can  be  a  tremendous  education 


tool  for  CSOs.  Wliile  most  security  executives  would 
undoubtedly  blanch  at  the  idea  that  they  should  be 
inciting  fear  among  the  masses,  employees  do  need  to 
understand  that  there’s  a  connection  between  what 
they  do  and  the  kinds  of  stories  they  see  in  the  news. 
When  a  company  is  hurt  by  internal  e-mails  made  pub¬ 
lic,  it’s  a  good  time  to  circulate  a  reminder  that  what 
employees  say  on  e-mail  is  neither  private  nor  confi¬ 
dential  and  can  be  used  against  the  company.  If  there’s 
a  story  in  the  news  about  employees  posting  confiden¬ 
tial  corporate  information  to  Internet  bulletin  boards, 
it’s  worth  reiterating  at  that  time  that  such  activities  are 
against  corporate  policy  and  will  be  investigated. 

It’s  one  thing  to  craft  a  “take  no  prisoners”  policy  that 
threatens  serious  consequences  to  employees  that  flout 
its  rules;  it’s  another  thing  to  follow  through  with  it.  In 
fact,  setting  out  a  tough  policy  and  monitoring 
employee  behavior  but  doing  nothing  about  what  you 
find  is  one  of  the  most  dangerous  things  a  company  can 
do.  “The  biggest  mistake  companies  make  is  not  taking 
action,”  says  Miriam  Wugmeister,  a  labor  and  privacy 
law  attorney  with  Morrison  &  Foerster  in  New  York 
City.  “A  company  that  puts  out  a  policy  and  finds  those 
sexually  explicit  e-mails  and  does  nothing  about  them 
[will  be  vulnerable  to  a  lawsuit]  because  they  moni¬ 
tored  and  took  no  action.  They  knew  about  the  situa¬ 
tion,  tolerated  it  and  condoned  it  as  an  employer.”  Also, 
when  the  company  has  a  policy  but  repeatedly  does 
nothing  to  enforce  it,  it  takes  the  teeth  out  of  it.  If  an 
employee  then  violates  the  policy  in  a  sufficiently  egregious  way  and 
the  company  decides  to  terminate  him,  it  could  face  a  discrimination 
suit  because  its  failure  to  enforce  the  policy  in  the  past  has  created 
the  expectation  that  it  won’t  be  enforced  at  all. 

Flynn  suggests  that  CSOs  make  a  bold  statement  by  terminating 
the  first  person  who  violates  the  policy  after  it  is  put  in  place  to  set 
the  precedent  early  on  in  the  company.  “If  you  terminate  that  first  per¬ 
son  to  violate,  you  may  avoid  having  to  terminate  a  dozen  or  more 
employees  down  the  road,”  Flynn  says.  When  a  policy  infraction 
leads  to  disciplinary  action,  it’s  also  a  good  idea  to  get  the  word  out. 
Whether  the  employee  was  disciplined  for  e-mailing  inappropriate 
material  or  spending  too  much  time  on  eBay,  let  the  fact  that  the  pol¬ 
icy  is  being  enforced  leak  out.  “The  grapevine  does  a  great  service  in 
these  situations,”  says  Russell  Schofield,  managing  director  of  IT  at 
National  Cooperative  Bank  in  Washington,  D.C.,  who  notes  that  you 
can  almost  hear  the  collective  “Uh-oh!”  from  the  rest  of  the  employ¬ 
ees  who  suddenly  realize  that  the  company  really  is  watching.  B 


Senior  Editor  Daintry  Duffy  can  be  reached  via  e-maii  at  dduffy^cxo.com. 


Does  your  company  scan  employee  e;.mail  and  filter  or- monitor  Web  use,:.  ,  . 
s  at  the  office?  GSOonline’s  interactive  cdlurnn  TALK  BACK 'weighs  the]  .  - 
positives  and  negatives  of  acceptable usepblicies.  Read  it  and  let  us 
L  know  what  you  think.  Go  to  www.csdoniine.CQrn/priiitlinks, , 


February  2003  www.csoonline.com  39 


Service-level  agreements  are  at  the  heart  of  most  managed 
information  security  contracts.  But  they  don’t  guarantee 
that  buyer  and  seller  are  pulling  in  the  same  direction. 


By  Malcolm  Wheatley 


ichard  Diamond  is  fully  aware 

of  the  irony:  Of  all  the  400  or  so  users  on  his  company’s  nationwide 
network,  he  was  the  one  who  fatefully  clicked  open  an  e-mail  attach¬ 
ment  from  a  contact  outside  the  company.  And  Diamond  is  the  CIO. 

“The  moment  it  happened,  I  realized  what  I’d  done— but  it  was  too 
late,”  says  Diamond,  senior  vice  president  and  CIO  of  The  Doctors  Co. 
The  physician-owned  medical  malpractice  insurance  company  was 
infected  by  the  Nimda  virus,  which  busily  began  sending  itself  to 
everyone  in  Diamond’s  extensive  companywide  e-mail  address  book. 
Eradicating  Nimda  from  The  Doctors  Co. 


took  almost  three  days. 

That  unforgettable  three  days  led  Dia¬ 
mond’s  company  to  settle  on  an  increas¬ 
ingly  common  solution:  outsourcing  its 
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network  security.  The  Doctors  Co.  contracted  Sjnnantec  to  keep  watch 
over  the  network  on  a  24/7  basis,  guarding  against  not  just  viruses  but 
the  hill  gamut  of  IT  security  threats.  “On  security  issues,  we  felt  we  were 
always  playing  catch-up,”  says  Diamond.  No  longer.  “Suddenly,  we  find 
we’re  in  the  vanguard.  It’s  a  little  surprising,  but  it  seemed  to  be  a  very 
prudent  thing  to  do.” 

There  are  many  reasons  for  bringing  in  a  managed  security  services 
pro\ader.  Some  hope  to  lower  costs.  Some  simply  hope  to  hand  some¬ 
one  else  the  trouble  of  finding  and  hiring  information  security  expert¬ 
ise.  And  many  CSOs  say  they  sleep  better  at  night  with  such  a  service 
in  place.  But  the  contracts  that  govern  outsourced  security  relationships 
are  tricky  beasts.  Most  of  them  center  around  a  service-level  agreement 
(SLA),  which  spells  out  minimum  performance  standards  that  the 
provider  must  reach.  In  all  too  many  cases,  it’s  tempting  to  rely  on  the 
apparently  tough-sounding  SLA  proffered  by  the  vendor  as  the  basis 
for  managing  and  monitoring  this  new  relationship.  But  that  could  be 
a  mistake  for  a  number  of  reasons,  chief  among  them  the  fact  that  many 
of  the  measurements  provided  may  prove  hard  to  contest  or  simply 
irrelevant  for  what  the  CSO’s  business  really  needs.  And  negotiating 
a  different  agreement  isn’t  as  easy  as  it  sounds. 

All  things  considered,  CSOs  should  scrutinize  their  service  con¬ 
tracts  carefully  before  letting  a  standard  SLA  lull  them  into  a  false  sense 
of  security. 

What’S  in  an  SLA 

In  a  business  such  as  managed  security,  most  CSOs  and  CIOs  figure 
that  measuring  a  vendor’s  effectiveness  shouldn’t  call  for  rocket  science. 
Diamond,  for  his  part,  is  very  clear  about  the  relationship  with  Syman¬ 
tec:  “We  know  what  it’s  going  to  cost 
us,  and  we  know  how  we’re  going  to 
measure  its  effectiveness,”  he  says. 

Perhaps.  Poke  a  little  deeper, 
though,  and  this  seemingly  straight¬ 
forward  view  quickly  becomes 

murkier.  How  is  a  vendor  performing?  Look  no  further  than  the 
plethora  of  reports  that  it  issues  to  its  customers.  Different  vendors  pro¬ 
vide  different  reports,  but  most  are  variations  on  a  similar  theme. 
How  quickly  were  threats  detected  and  resolved?  What  kind  of  threats 
were  they?  Were  they  random  or  deliberately  targeted?  Which  parts 
of  the  system  were  under  attack?  Is  the  trend  in  attacks  of  a  particu¬ 
lar  nature  rising,  holding  or  falling? 

At  face  value,  such  metrics  appear  very  sensible,  and  they,  of  course, 
are  the  measures  loAdngly  enshrined  in  the  standard  SLA.  The  tricky 
part  is  determining  whose  purpose  the  metrics  in  service-level  agree¬ 
ments  really  serve. 

Fess  up:  Certainly  CSOs  and  their  security  organization  have  a 
vested  interested  in  them.  An  armful  of  freshly  delivered  statistics 
always  comes  in  handy  when  you  need  to  justify  jobs  and  budgets: 
“We’ve  not  been  hacked  lately— but  look  what  might  have  happened!” 

As  it  turns  out,  the  same  logic  that  applies  to  you  persuading  your 
executive  team  equally  applies  when  your  vendor  is  selling  ^om.  That’s 
one  reason  why  managed  security  services  providers  appear  to  accept 
metric-laden  SIAs  with  almost  open  arms.  “We  want  our  customers 


to  see  exactly  how  we’re  doing  in  protecting  them,”  enthuses  Pete  Pri¬ 
vateer,  vice  president  of  protection  services  for  Atlanta-based  Internet 
Security  Systems.  His  customers  are  thus  provided  with  a  portal,  pro¬ 
tected  by  both  password  and  token,  that  contains  up-to-the-minute 
information  about  the  company’s  performance  in  meeting  the  speci¬ 
fied  SLA  standards.  “If  they  want,  customers  can  drill  down  through 
the  data  to  see  information  on  the  specific  threats  that  are  pertinent 
to  them— data  on  the  incidence  of  port  scans  or  distributed  denial-of- 
service  attacks  over  the  last  month,  for  example,”  Privateer  says.  “Or 
even  firewall  logs,  if  they  want  to  go  into  that  level  of  detail.” 

Again,  this  tidal  wave  of  metrics  contains  a  generous  dollop  of  self- 
interest.  They  also  indisputably  serve  the  handy  double-purpose  of  per¬ 
suading  customers  that  they’re  getting  a  good  deal— possibly  to  the 
extent  of  encouraging  them  to  upgrade  to  the  next  level  of  service. 
(Internet  Security  Systems,  for  example,  offers  four  levels  of  service  as 
standard:  basic,  silver,  gold  and  platinum.) 

The  Greater  Problem 

But  even  taking  the  motive  in  providing  (or  receiving)  the  metrics  at 
face  value,  a  bigger  question  remains:  Which  metrics  really  matter?  The 
answer,  it  seems,  depends  on  the  business. 

Daniel  Piggott,  group  IT  manager  with  Benson  Group,  a  Britisfi  con¬ 
struction  company,  was  perfectly  happy  to  sign  up  to  the  standard 
service-level  agreement  offered  by  U.S.-based  Via  Net  Works.  Via  pro¬ 
vides  most  of  the  company’s  telecommunications  and  Internet  access, 
he  explains,  and  opting  to  sign  up  to  Via’s  managed  security  services 
provision  offered  economies  of  scale.  When  structuring  the  contract, 
though,  Piggott  went  along  with  the  service-level  agreement  that  Via 


any  of  the  measurements  provided  may 


proposed.  “They  said,  ‘Here’s  our  standard  terms,’  and  we  felt  we  could 
live  with  it,”  he  says.  “You  have  to  be  reasonable.  We’re  not  a  financial 
services  company;  we’re  a  construction  company  and  didn’t  feel  that 
we  couldn’t  survive  if  a  security  issue  meant  an  hour’s  outage.” 

Some  businesses  take  a  different  view.  Multinational  petrochemi¬ 
cals  giant  BP,  for  example,  is  cautious  about  an  overreliance  on  sim¬ 
ple  metrics.  “Both  hard  and  soft  measures  are  important,”  argues  Paul 
Dorey,  director  of  global  security  for  BP.  “The  usual  service-level 
metrics— speed  of  response,  events  logged  and  managed,  and  so  on- 
form  the  basis  of  regular  performance  meetings,  but  we  really  look  for 
a  good  relationship  with  knowledgeable  security  people.  We’re  asking 
them  to  be  part  of  our  extended  team,  and  in  security  it’s  more  impor¬ 
tant  to  face  up  to  any  problems  and  deal  with  them  than  it  is  to  decide 
whose  fault  it  was,”  he  says. 

In  other  words,  the  metric-driven  approach  may  simply  boil  down 
to  counting  the  number  of  times  that  the  horse  has  bolted  through  the 
open  stable  door.  The  obvious  question:  Might  it  not  be  better  to  close 
it  first? 

That  is  certainly  a  view  strongly  put  forward  by  Raleigh,  N.C.-based 
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Common  Interests 

ABBEY  NATIONAL,  one  of  the  United  Kingdom’s  largest  retail  banks,  hasn’t  outsourced 
its  information  security  to  a  managed  security  services  provider— yet.  But  talk  to  Marcus 
Alldrick,  the  bank’s  head  of  group  information  security,  and  you’ll  realize  that  a  lot  of 
thought  has  gone  into  figuring  out  how  it  might  be  managed  and  monitored.  Alldrick  seems 
to  be  a  firm  believer  in  the  merits  of  tightly  specified  service-level  agreement  metrics. 

But  when  it  comes  to  selecting  a  provider,  he’s  far  less  concerned  with  its  ability  to  pump 
out  management  reports  than  he  is  with  its  overall  approach  to  business.  “Information  secu¬ 
rity  is  a  business  requirement,  not  a  technical  solution,’’  he  says.  “It’s  very  much  about 
partnership.” 

And  in  selecting  that  partner,  he  warns,  be  under  no  illusions  as  to  the  downside.  “Ulti¬ 
mately,  you’re  looking  for  a  strong  assurance  that  this  partner  will  protect  your  interests— 
not  only  your  information  assets  but  your  reputation,  your  financial  standing,  your  industry 
standing  and  the  confidence  of  your  institutional  investors,”  he  says.  -M.W. 


A1  Decker,  director  of  outsourcing  giant  EDS’s 
security  and  privacy  services  division.  “There’s 
a  perception  that  managed  security  equates  to 
managed  intrusion  detection  and  a  managed 
firewall,”  he  notes.  Metrics,  like  technologies, 
need  to  be  tied  to  a  firm  business  justifica¬ 
tion.  “If  [a  particular  measurement]  doesn’t 
serve  a  business  need,  you  need  to  query  why 
it’s  there,”  he  says. 

According  to  Decker,  managed  security 
should  really  start  by  sitting  down  with  your 
provider  and  analyzing  the  network  architec¬ 
ture  for  worm  holes.  “If  you  take  too  narrow  a 
focus,  there’s  a  risk  that  you’ll  leave  an  open¬ 
ing  for  an  attack,”  he  warns.  Likewise,  time 
spent  up-front  figuring  out  the  policies  and 
procedures  that  should  be  in  place  is  usually 
a  good  investment.  In  the  event  of  an  attack, 
he  notes,  “The  policy  is  what  should  guide  the  action  that  is  taken— and 
if  [your  actions  and  those  of  the  service  provider]  are  not  in  concert, 
then  there’s  a  chance  that  you  may  be  missing  the  mark.” 

Another  strike  against  service-level  agreements  comes  from  Bob 
Ayers,  an  information  security  veteran  who  rounded  out  a  career  in  U.S. 
Army  Intelligence  and  the  Defense  Intelligence  Agency  with  a  period 
as  director  in  charge  of  the  Department  of  Defense  Information  Sys¬ 
tems  Security  Program,  establishing  the  first  Department  of  Defense 
emergency  response  team.  Curiously,  Ayers,  who  these  days  is  based 
in  London  as  director  of  business  risk  services  at  security  consultancy 


instead  of  the  previous  vague  phraseology,  Ayers  prefers  words  like 
these:  “The  supplier  will  install  an  intrusion  detection  system  approved 
jointly  by  the  supplier  and  the  client,  and  will  apply  all  vendor  product 
updates  within  30  minutes  of  them  becoming  available.” 

It’s  just  an  example,  but  Ayers  is  resolute  on  the  need  to  comb 
through  SLAs  looking  for— and  excising— wooliness.  He’s  also  in  favor 
of  building  into  the  contract  a  stipulation  that  the  client  will  periodically 
attack  their  own  systems  in  order  to  assess  the  capability  of  the  man¬ 
aged  security  services  provider  to  detect  and  respond  to  those  attacks. 
“It’s  my  experience  that  most  companies  fail  to  make  such  stipulations 


prove  irrelevant  to  what  the  CSO’s  business  really  needs. 


@Stake  of  Cambridge,  Mass.,  gripes  that  SLAs  don’t  contain  enough 
metrics.  Or  at  least  enough  of  the  metrics  that  really  matter. 

It’s  a  reflection,  he  says,  of  the  imbalance  that  exists  between  man¬ 
aged  security  services  providers  and  their  customers  when  it  comes  to 
constructing  SLAs.  “Typically,  you’re  doing  it  for  probably  the  first  time, 
while  the  supplier  has  done  it  many  times  over,”  he  says.  “The  supplier 
uses  words  that  make  what  they  are  going  to  do  for  you  sound  grand 
and  glorious,  but  there’s  no  way  you  can  use  those  words  to  prove 
that  they  aren’t  doing  a  good  job.” 

Better  Language,  Please 

Look  no  further  than  the  sort  of  phraseology  used  to  describe  the  sup¬ 
plier’s  obligations  regarding  software  updates  and  antivirus  patches. 
“Remember,”  Ayers  says,  “that  a  prime  cause  of  hacks  is  poor  software 
maintenance  and  late  application  of  antivirus  software.  And  what  do 
we  find?  Phrases  like,  ‘The  supplier  will  install  and  maintain  an  intru¬ 
sion  detection  system  and  keep  it  current.’” 

A  much  better  way  of  describing  that  critical  obligation,  he  says, 
would  be  to  pin  down  much  more  precisely  what  has  to  be  done.  So 


within  their  contracts,”  he  observes.  But  how  practical  are  such  tough¬ 
sounding  words?  Even  excepting  the  periodic  targeting  of  a  company’s 
systems  by  its  own  personnel,  some  people  have  reservations  about 
linking  security  issues  to  such  tightly  written  metrics. 

For  public  sector  CSOs  such  as  Jeff  Ritter,  director  of  IT  for  the  divi¬ 
sion  of  employment  and  training  for  the  commonwealth  of  Massa¬ 
chusetts,  there’s  a  legal  hurdle  to  cross— one  that  the  private  sector  may 
not  need  to  face.  “Public  sector  contracts  are  worded  very  generally,  and 
security  is  a  very  specific  issue,”  says  Ritter,  who  serves  on  the  com¬ 
monwealth’s  Enterprise  Security  Board.  “A  general  contract  at  law 
can’t  possibly  address  the  specifics  of  an  engagement  of  this  nature,  in 
terms  of  particular  releases  and  updates.”  Public  sector  contracts  tend 
to  be  “blanket”  contracts,  he  e.xplains— general  in  nature,  lasting  over 
time,  and  covering  a  basket  of  goods  and  services. 

Massachusetts’  own  contract  with  managed  security  services 
provider  Genuity,  for  example,  calls  only  “for  the  vendor  to  make  best 
efforts  to  provide  the  most  up-to-date  version,”  he  says.  Even  so,  Rit¬ 
ter  can  see  the  advantages  of  a  tighter  approach:  “'There’s  no  real  rea¬ 
son  why  such  stipulations  couldn’t  be  in  place,  provided  that  the 
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AT  EASTERN  BANK,  Vice  President  of 
E-Business  Solutions  Aidan  Garcia  is 
responsible  for  information  security.  When 
the  46-branch  financial  institution  first 
ventured  online  in  1997,  says  Garcia, 
the  company  purchased  firewalls  and 
vulnerability  assessment  tools  from  Internet 
Security  Systems,  culminating  in  August 
2002  with  Internet  Security  Systems 
providing  it  with  a  managed  security  service 
too.  "We’ve  spent  so  many  years  with  them 
now,  we  trust  them  totally— which  is 
important,”  says  Garcia. 

Even  so,  he  adds,  when  writing  the 


contract,  it  was  only  prudent  to  think  about 
cutting  the  knot.  “We  can  step  out  of  the 
relationship  anytime  we  want  to— if,  for 
example,  they  weren’t  meeting  the  service- 
level  agreement,”  he  says.  Not,  he  laughs, 
that  he’s  losing  sleep  over  the  possibility. 

But  in  an  industry  that’s  experiencing  as 
much  turbulence  as  the  managed  security 
sector  (which  has  seen  bankruptcies  and  is 
widely  expected  to  further  consolidate), 
thinking  through  what  the  bank  would  do  if 
its  service  provider  went  out  of  business 
seemed  only  sensible.  “We  used  to  handle  it 
ourselves,  so  we  have  a  comfort  factor  that 


we  can  do  it  if  we  have  to,”  he  says.  “If  they 
shut  down,  there  would  be  a  hole,  and  we’d 
need  to  fill  it  pretty  quickly.  But  it  wouldn’t 
leave  us  completely  bare  to  the  world.” 

In  figuring  out  what  to  do,  says  Garcia, 
the  intention  was  to  make  sure  that  the 
critical  pieces  of  the  puzzle  belonged  to  the 
bank,  rather  than  a  third  party.  “The  way 
the  relationship  is  structured,  we  own  the 
licenses,  and  we’d  carry  on  using  the 
products,”  he  explains.  “We’re  not  beholden 
to  Internet  Security  Systems  or  anybody  else 
for  either  the  software  or  the  hardware.” 

-M.W. 


lawyers  understood  both  the  need  and  the  technicalities  to  phrase  a 
sensible  contract,”  he  says. 

Managed  security  services  providers  aren’t  too  sure,  though— and  not 
just  because  they’re  objecting  in  principle  to  something  that  attempts 
to  pin  them  down.  “The  speed  with  which  patches  and  upgrades  are 
updated  is  easy  to  talk  about  but  much  harder  to  do  in  practice,” 
observes  Patrick  Cain,  security  advocate  in  the  CTO’s  office  at  Genuity. 
“Patches  can  break  what  you’ve  already  got  or  just  not  work  with  it.” 

And  in  any  case,  he  adds,  there’s  nearly  always  more  than  one  way 
to  skin  a  cat.  With  many  known  threats,  for  example,  it’s  perfectly 
possible  to  program  the  firewall  to  look  for  particular  data  packets  and 
filter  out  the  threat  that  way— without  running  the  risk  of  breaking  any¬ 
thing  until  the  stability  of  a  patch  or  upgrade  is  well-understood. 

In  short,  if  such  apparently  simple  issues  can’t  be  readily  decided  one 
way  or  another,  it’s  difficult  for  any  chief  security  officer  to  know  if  the 
deal  he  gets  from  his  managed  security  services  provider  is  a  good  one 
or  not. 

The  mist  is  clearing— but  slowly.  Amit  Yoran,  vice  president  of  global 
managed  security  services  at  Svmiantec  (and  another  former  DoD  CERT 
alumnus)  concedes  that  customer  pressure  is  forcing  change.  “Users  are 
getting  more  sophisticated  in  their  RFIs  and  RFPs,  and  are  getting  to 


better  understand  the  various  value  propositions  on  offer,”  he  says. 

For  his  part,  Massachusetts’  Ritter  points  to  draft  initiatives  devel¬ 
oped  by  the  Massachusetts  Information  Technology  Division’s  Cyber 
Law  E-Government  Advisory  Roundtable  with  respect  to  website  and 
software  development.  If  there’s  a  way  forward,  it  might  be  there,  he 
believes.  With  page  after  page  of  legalese  leavened  with  healthy  dollops 
of  good  business  sense,  they’re  not  documents  for  the  fainthearted. 
And  nor,  yet,  do  they  deal  with  managed  security  services.  But  as  a 
model— well,  yes,  here’s  a  bunch  of  lawyers  with  some  sensible-sounding 
things  to  say  about  IT  procurement. 

Absent  such  progress,  the  business  of  managing  your  relationship 
with  a  managed  security  services  provider  will  remain  like  nailing 
Jell-0  to  a  wall.  In  which  case,  as  the  Romans  used  to  say:  caveat  emp- 
tor— let  the  buyer  beware.  ■ 

Malcolm  Wheatley  is  a  freelance  writer  based  in  Engiand.  Send  your  outsourcing  experiences 
to  Executive  Editor  Derek  Siater  at  dslater^cxo.com. 


For  more  on  MEASURING  THE  EFFECTIVENESS  OF  YOUR  COMPANY’S 
SECURITY  OUTSOURCING  AGREEMENTS,  visit  CSOonline.com’s  Strategy 
&  Management  Research  Center.  Go  to  www.csoonline.com/strategy. 
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SOME  SECURITY  EXECUTIVES  SEE 


PROTECTING  THEIR  COMPANY’S 
ASSETS  AS  A  WAY  TO  EARN  A  LIVING. 

ABN  AMRO’S  SHARON  O’BRYAN  SEES  IT 
AS  HER  MISSION.  BY  SIMONE  KAPLAN 

Called  to  Accoun 


ou’re  in  good  hands  with  Sharon  O’Bryan. 

That  may  sound  like  an  advertising  slogan  or  a  political  prom¬ 
ise,  but  O’Bryan  isn’t  campaigning  for  anything.  She’s  the 
senior  vice  president  and  chief  information  security  officer  for 
Dutch  banking  giant  ABN  Amro’s  North  American  division, 
and  she  loves  her  job.  To  her,  protecting  her  clients’  cash  and 
sensitive  information  is  much  more  than  a  way  to  earn  a  pay- 
check.  It’s  a  calling.  ; 

“Security  is  so  intrinsic  to  what  we  do  for  our  clients,”  she 
says,  her  voice  filled  with  conviction.  “This  is  people’s  liveli¬ 
hood  that  I’m  protecting.  It’s  their  ability  to  send  their  chil¬ 
dren  to  college,  to  pay  for  their  daughters’  weddings.  It’s  a  very 
big  deal.”  | 

O’Bryan  is  passionate  about  security.  She  is  also  very  hon¬ 
est  about  the  challenges  of  being  a  CISO.  Professionally,  like 
many  of  her  peers,  O’Bryan  faces  a  continually  changing  land-: 
scape  that  requires  deft  strategic  planning  and  a  nimble  mind. 
On  a  larger  scale,  she  must  navigate  the  heavily  regulated 
waters  of  the  financial  services  industry,  in  which  every  action, 
every  goal  must  be  documented  for  corporate  and  federal 
auditors.  She  frequently  visits  Washington,  D.C.,  where  she 

IN  THIS  STORY:  Why  adding  compassion  to  your  skill  set  is 
important  ■  How  to  maintain  control  in  an  ever-changing 
environment 

represents  her  company  on  the  financial  services  branch  of 
Presidential  Cybersecurity  Adviser  Richard  Clarke’s  Critical 
Infrastructure  Protection  Board  and  is  a  major  player  in  Bits, 
the  technology  arm  of  the  Financial  Services  Roundtable,  an 
industry  lobbying  group.  “Staying  on  top  of  security  technol¬ 
ogy  and  the  nature  of  security  threats,  which  change  con- 
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As  CISO  of  the  international  banking  giant  ABN  Amro,,;. 
Sharon  O’Bryan  faces  the  challenge  of  merging  systems 
from  companies  that  ABN  Amro  acquires.  “Sometimes . 
I  come  into  work  and  wonder,  What  will  the  cqmpl^y 
look  like  today?’’ she  says.  -  „  '  '  ‘ 
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MERGE  AHEAD 

O’Bryan  heads  the  technology  risk  management 
team,  which  is  known  within  the  company  for 
handling  the  security  side  of  systems  integration 
quickly  and  well.  If  the  acquired  company’s 
security  doesn’t  meet  O’Bryan’s  standards,  she 
delays  hooking  it  up  to  ABN  Amro’s  network 
until  it’s  in  compliance.  “You  can’t  mix  an 
unprotected  system  with  a  trusted  network,” 
she  says.  The  process  is  particu¬ 
larly  difficult  if  the  new  com¬ 
pany’s  system  is  dependent  on  a 
single  software  program  whose 
security  settings  can’t  be 
changed.  O’Bryan  reasons  that 
“if  you  change  their  technology 
in  those  situations,  then  you 
have  changed  the  success  of 
their  organization,  and  there’s 
no  cost-benefit  to  bringing  them 
into  the  fold.”  Her  solution  is 
simple  and  circumspect:  Segre¬ 
gate  unsafe  systems.  She  and 
her  team  create  an  oasis  of  com¬ 
puters  linked  to  the  ABN 
Amro  network.  The  computers 
are  placed  in  a  secure  room,  and 
whenever  someone  needs  to 
interact  with  the  ABN  corporate  network,  he 
has  to  work  with  the  special  computers.  “If  you 
can’t  have  a  shared  environment,  that’s  what 
you  have  to  do,”  she  says. 

O’Bryan  applies  the  same  determination  to 
every  project  she  faces.  Recently,  she  completed 
a  total  reorganization  of  the  security  architecture 
part  of  the  technology  risk  management  group. 
The  overhaul  began  three  years  ago,  after  she 
joined  ABN  Amro  and  discovered  that  the  secu¬ 
rity  organization  was  all  over  the  map.  Literally. 
“It  was  a  giant  pot  of  stew,”  she  recalls.  The  secu¬ 
rity  organization  was  underfunded  and  under¬ 
staffed,  comprising  only  12  people  who  were 
scattered  throughout  other  infrastructure  groups 
around  the  country.  When  O’Bryan  arrived,  the 
company  had  decided  to  go  forward  with  a  sin¬ 
gle  sign-on  technology  that  would  allow  net¬ 
work  users  to  access  multiple  applications  after 
entering  a  single  password.  But  the  North  Amer¬ 
ican  division’s  network  was  a  complex  patch- 
work  of  systems  mushed  together  from  frequent 
mergers  and  acquisitions,  and  there  were  few 
security  standards  in  place.  O’Biyan  decided 
that  the  technology  couldn’t  support  the 
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stantly,  isn’t  easy,”  she  admits.  “But  then— you 
know  the  saying— the  only  thing  that’s  constant 
is  change.” 

Considering  how  much  she  has  going  on,  it’s 
amazing  that  O’Bryan  has  time  to  talk  at  all. 
Since  she  joined  ABN  Amro  four  years  ago 
(after  several  years  as  an  IT  auditor  for  two  Big 
Five  accounting  consultancies),  she’s  revamped 
the  security  architecture  of  her  company’s  tech¬ 
nology  risk  management  group  and  helped  her 
staff  adjust  to  a  global  corporate  reorganiza¬ 
tion.  Not  only  that,  but  ABN  Amro,  which  has 
3,400  branches  in  60  countries,  is  so  active  on 
the  mergers  and  acquisitions  front  that  O’Bryan 
is  continually  applying  security  standards  to 
systems  newly  integrated  into  the  company’s 
network.  Sometimes  she  feels  like  the  com¬ 
pany’s  landscape  changes  on  a  daily  basis.  As 
CISO,  she’s  not  in  charge  of  the  company’s  phys¬ 
ical  security  arena,  but  she  still  has  to  make 
sure  the  two  groups  don’t  duplicate  efforts  in 
their  common  goal  of  protecting  the  business. 

To  top  it  all  off,  the  CEO  and  the  CIO  of  ABN 
Amro’s  North  American  division  are  both  retir¬ 
ing,  and  O’Biyan  doesn’t  know  to  whom  she’ll  be 
reporting  in  the  long  run.  Fortunately,  she  likes 
that  kind  of  pressure. 

“I  do  better  under  duress,”  O’Biyan  says.  “It’s 
like  when  you  go  to  a  restaurant,  and  you’re  the 
only  customer  there.  Ironically,  the  quality  of 
service  is  terrible.  If  you  want  another  cup  of 
coffee,  you  can’t  find  the  waitress  because  she’s 
off  in  a  corner  somewhere  smoking.  But  if  the 
place  is  busy,  your  service  is  better  because  the 
waitress  has  to  be  on  the  ball.  It’s  the  same  with 
me.  When  I’ve  got  an  overwhelming  number 
of  things  to  do,  I  get  all  fired  up.”  Which 
explains  how,  despite  the  demands  on  her  time 
and  energy,  the  atmosphere  in  O’Bryan’s  office 
above  the  Chicago  Loop  is  amazingly  controlled. 
Amid  neatly  framed  family  photos  and  care¬ 
fully  organized  papers,  O’Bryan  appears  to  be 
the  essence  of  level-headed  business  acumen 
and  IT  expertise.  Her  zest  for  the  job  is  imme¬ 
diately  apparent  in  her  strong  handshake  and 
the  unwavering  eye  contact  she  levels  on  visi¬ 
tors.  She  frequently  faces  the  challenge  of  merg¬ 
ing  systems  from  multiple  companies  that  ABN 
Amro  has  acquired  into  her  own  and  making 
sure  they  stand  up  to  her  rigorous  security  stan¬ 
dards  and  requirements.  “Sometimes  I  come 
into  work  and  wonder.  Well,  what  will  the  com¬ 
pany  look  like  today?”  she  says. 
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company’s  integrated  systems  and  shelved  the 
project.  “The  technology  wasn’t  quite  there  yet, 
and  your  network  environment  must  be  very  clean 
for  a  project  like  that  to  be  effective  without  open¬ 
ing  you  up  to  attack,”  she  says. 

After  putting  the  project  on  hold,  she  sat  down 
with  her  CIO  to  gauge  his  level  of  support  for  a 
formal  set  of  security  standard  projects.  She  then 
presented  the  executive  board  of  ABN  Amro 
North  America  with  a  meticulous  plan  detailing 
her  ideal  approach  to  increasing  security  effi¬ 
ciency  and  effectiveness— creating  a  centralized 
technology  risk  management  group  to  oversee  a 
common  set  of  security  policies— and  the  execu¬ 
tive  team  gave  her  the  thumb’s  up.  Then  she 
began  the  next  phase  of  the  reorganization.  Most 
of  the  existing  risk  management  and  continuity 
planning  staff  was  dispersed  and  decentralized, 
reporting  to  different  bosses  and  working  in  reac¬ 
tion-based  environments  rather  than  under  a 
taetical  or  strategic  plan.  O’Bryan  plucked  her 
staffers  out  of  their  pseudo-exile  and  brought 
most  of  them  to  the  Chicago  area  (she  still  has 
people  in  Michigan  and  New  York),  where  they 
could  work  as  a  team.  Together,  the  group  came 
up  with  a  thorough  approach  to  technology  risk 
that  began  at  the  strategic  level  and  extended  all 
the  way  down  to  daily,  mundane  procedural  tasks 
such  as  issuing  network  access  IDs. 

O’Bryan  looked  at  how  other  banks  handled 
security  but  kept  a  close  eye  on  how  closely  indus¬ 
try  best  practices  addressed  her  company’s  needs. 
“Best  practices  are  often  set  by  much  larger 
organizations,  like  Bank  of  America,  and  they 
might  not  make  sense  for  us  as  a  medium-size 
organization,”  she  explains.  “Rather  than  apply 
blanket  best  practices  to  my  company,  I  am  more 
interested  in  looking  at  how  those  praetices  relate 
specifically  to  the  infrastructure,  applications  and 
security  controls  we  have  in  place.” 

With  the  newly  crafted  standards  in  hand,  she 
made  sure  the  company’s  network  was  scrubbed 
and  the  systems  were  functioning  effectively.  “We 
had  to  clean  it  up,”  she  says.  The  security  staff 
grew:  When  O’Bryan  began  the  overhaul,  she 
had  a  staff  of  12  and  a  budget  of  about  $6  million. 
Three  years  later,  she  oversees  66  people  and  a 
budget  of  $18  million.  And  the  evolution  of  the 
risk  group  is  about  to  take  another  step.  In  early 
2003,  ABN  Amro’s  Chicago  offices  will  move  to 
a  new  building  that’s  still  under  construction. 
While  the  move  entails  a  lot  of  change,  O’Bryan 
isn’t  worried  about  adjusting.  In  the  new  build- 
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ing,  she'll  have  her  entire  Chicago-area  tech¬ 
nology  risk  group  on  one  floor  (right  now,  half 
the  group  is  in  her  Loop-area  building  and 
the  other  half  is  located  20  miles  away,  near 
O’Hare  International  Airport). 

At  the  same  time  O’Bryan  was  revamping 
the  technology  risk  management  division, 
ABN  Amro  was  going  through  its  own  labor 
pains.  Like  the  technology  risk  group,  the 
Dutch  bank  used  to  be  regionally  oriented, 
with  operations  spread  around  the  globe.  Two 
years  ago,  the  company  reorganized  itself  into 
three  strategic  business  units:  consumer  and 
commercial  clients,  wholesale  client  services, 
and  private  clients  and  asset  management. 
O’Bryan  needed  to  fit  the  risk  group’s  respon¬ 
sibilities  into  the  company’s  new  structure,  a 
task  which  O’Bryan  took  in  stride.  “We  just 
had  to  be  light  on  our  toes  and  change  the 
strategic  plan  regularly,”  she  says. 

DO  THE  RIGHT  THING 

O’Bryan  is  not  one  to  simply  navigate  her  way 
through  change— she  actively  seeks  it  out,  par¬ 
ticularly  when  she  perceives  that  something  is 
wrong.  “I’m  veiy  much  a  do-the-right-thing 
person,”  she  says  of  herself  “I  won’t  sit  by  if 
something  needs  to  be  fixed.”  One  of  the  proj¬ 
ects  in  which  she  has  been  most  actively 
involved  is  the  creation  of  a  framework  for 
monitoring  the  risk  management  practices  of 
third-party  outsourcing  providers.  During  her 
years  as  an  IT  auditor,  she  noticed  a  loophole 
in  industry  auditing  procedures  that  allowed 
a  lot  of  financial  companies  to  avoid  examin¬ 
ing  the  IT  and  security  risk-management  poli¬ 
cies  of  outsourcers  (for  more  on  outsourcing, 
see  “Tying  the  Knot,”  Page  40).  That  a  loop¬ 
hole  existed  wasn’t  surprising— the  regula¬ 
tions  governing  outsourcing  risk  management 
were  published  in  1988,  long  before  data  secu¬ 
rity  became  the  issue  it  is  today. 

O’Biyan  observ'ed  that,  at  audit  time,  indus- 
tr\'  and  federal  regulators  almost  never  asked 
her  clients  for  a  h.st  of  outsourced  semces  so 
that  they  could  examine  how  the  companies 


managed  risk.  Since  it  was  her  job  to  audit 
the  technology  infrastructure  of  her  102  finan¬ 
cial  clients  so  that  they  could  sign  off  on  finan¬ 
cial  statements,  the  loophole  was  very 
apparent.  She  knew  regulators  weren’t  doing 
anything  wrong  because  looking  in-depth  at 
data  security  controls  was  outside  the  scope  of 
their  audit  responsibilities.  But  other  than 
simply  verifying  the  presence  of  security 
measures,  there  was  virtually  no  data  privacy 
oversight  for  information  handled  by  out¬ 
sourcers.  Companies  were  not  required  to 
demonstrate  the  breadth  of  data  security  cov¬ 
erage  or  whether  their  in-house  security  was 
integrated  with  that  of  their  outsourcers.  As  a 
result,  she  says,  few  organizations  performed 
the  necessary  analysis  of  security  controls  they 
relied  on,  and  fewer,  if  any,  actually  tested 
those  controls.  The  financial  institutions 
shrugged  it  off  for  the  most  part,  she  says, 
because  they  thought  data  security  was  the 
outsourcer’s  responsibility,  not  theirs.  “What 
we  needed  was  documentation  showing  how 
information  is  shared  between  companies  and 
outsourcers,  how  their  networks  interface  and 
how  the  data  is  being  protected,”  she  says. 

O’Bryan  felt  the  lack  of  data  privacy  over¬ 
sight  needed  the  attention  of  the  entire  finan¬ 
cial  services  industry.  As  a  member  of  Bits, 
the  lobbying  group  founded  by  CEOs  from 
the  top  100  financial  companies  in  the  nation, 
she  brought  up  the  idea  of  creating  an  indus¬ 
trywide  framework  for  governing  risk  man¬ 
agement  in  outsourcing  at  a  meeting.  The 
other  members  of  Bits  agreed  the  issue 
demanded  action  and  set  to  work  creating  the 
framework,  a  process  that  took  a  year.  O’Bryan 
now  cochairs  the  committee  in  charge  of 
expanding  the  framework,  which  was  ratified 
in  2001.  The  new  regulations  require  financial 
companies  to  apply  the  same  security  meas¬ 
ures  to  outsourced  information  as  they  would 
if  the  data  was  handled  in-house.  “You  can 
outsource  IT  and  business  processing,  but  you 
can’t  outsource  the  risk,”  O’Bryan  says.  “That 
creates  a  challenge  for  service  providers,  many 


of  whom  are  being  forced  into  creating  formal 
security  and  contingency  planning  policies  of 
their  own  in  order  to  service  financial  clients.” 
While  the  Bits  framework  has  helped  regula¬ 
tors  increase  their  scrutiny  of  outsourced  risk 
management,  this  issue  remains  somewhat 
unresolved,  she  says,  because  most  business 
managers  still  believe  they  can  outsource  risk, 
an  attitude  that  has  to  change  for  sound  secu¬ 
rity  to  be  achieved. 

Not  surprising,  O’Bryan  handles  the  chal¬ 
lenge  of  forcing  change  upon  an  industry 
mired  in  tradition  and  regulation  with 
aplomb.  She  does,  after  all,  thrive  on  pressure 
and  responsibility.  Like  many  security  execu¬ 
tives,  O’Bryan  is  a  part-time  student,  but  the 
degree  she’s  pursuing  is  probably  unique  in 
the  IT  security  field.  She’s  in  the  process  of 
earning  a  master’s  in  theology,  her  third 
advanced  degree  (she  already  holds  an  MBA 
and  a  master’s  of  information  systems).  And 
no,  she’s  not  praying  for  secure  networks. 

In  the  future,  she  wants  to  work  with 
teenagers  to  “help  steer  them  in  the  right  direc¬ 
tion.”  But  that’s  a  few  years  off.  Her  immediate 
goals  are  to  move  closer  to  the  strategic  side  of 
the  business  so  she  can  become  less  involved 
with  day-to-day  operations.  “I’m  a  strategist  at 
heart,  and  I  have  a  vision  of  what  security 
should  mean  to  the  business,”  she  explains.  At 
some  point  she’d  like  to  do  more  industry  lob¬ 
bying  in  Washington,  D.C.,  but  for  right  now 
she’s  happy  commuting  from  her  home 
65  miles  outside  Chicago  and  helping  protect 
the  assets  of  ABN  Amro’s  worldwide  clients. 

“At  the  end  of  the  day,  that’s  what  feels 
good,”  O’Bryan  says.  ■ 

Staff  Writer  Simone  Kapian  can  be  reached  via  e-mail 
at  skaplan<§>cxo.com. 


CSOonline’s  SECURITY  EXECUTIVE  RESEARCH 
CENTER  includes  profiles  of  successful  security 
executives  like  Sharon  O’Bryan  and  dozens  of 
links  to  articles  about  the  emerging  role  of  the 
CSO.  Go  to  www.csoonline.com/executive. 
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Cebrail  Tunga 
Missing  Since  8/23/99 


Fernando  Robnett 
Missing  Since  1/10/00 


Shelby  Cannon 
Missing  Since  12/8/98 


Jonathan  Mora 
Missing  Since  10/1/98 


Reuben  Blackwell 
Missing  Since  5/6/96 


Alexandra  Heaslet 
Missing  Since  12/12/00 


Daniela  Salgado 
Missing  Since  12/22/00 


Jacquilla  Scales 
Missing  Since  9/5/01 


Adam  Shannon 
Missing  Since  8/22/01 


PEOPLE  WILL  SEE  THIS  AD. 


IT  EVEN  ONE  OF  THEM  DOES  SOMETHING, 

IT  WILL  BE  A  SUCCESS. 

Just  one  person.  Who  remembers  one  face.  And  makes  one  phone 
call.  That’s  all  it  takes  to  help  find  missing  children  and  bring  them 
home.  Call  1-800-THE  LOST  or  go  to  our  website,  missingkids.com, 
generously  provided  by  Computer  Associates.  Look  at  the  children. 
Remember  the  faces.  And  help  just  one  child  get  home  today. 


Cameron  Bland 
Missing  Since  5/18/00 


Andrea  Reyes 
Missing  Since  10/5/99 


Ethan  Hernandez 
Missing  Since  7/16/00 


Jennifer  Hands 
Missing  Since  12/27/97 
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CENTER  FOR 
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.CHILDREN 
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PICTURE  THEM  HOME. 


Amy  McLaughlin 
Missing  Since  8/27/01 


Rah  Diamond 
Missing  Since  5/27/01 


Joshua  Bryant 
Missing  Since  5/12/01 


Shawna  Nowaczyk 
Missing  Since  10/11/00 


Jacquelin  Randhawa 
Missing  Since  7/25/00 


©2002  Computer  Associates  International,  Inc.  (CA).  All  trademarks,  trade  names,  service  marks,  and  logos  referenced  herein  belong  to  their  respective  companies. 


^SC  Perspectives'" 

Today’s  security  executives  meet  at  the 

CSO  Perspectives 
Conference 

June  17-19,  2003 
Hotel  del  Coronado 
Coronado,  California 

CSO  Perspectives  meets  those  needs 

with  an  educational  and  networking 
conference  just  for  you— chief  security 
officers  (CSOs)  and  senior  technology 
decision-makers  (CIOs).  At  CSO 
Perspectives,  you’ll  gain  firsthand 
knowledge  from  industry  experts  and 
your  peers  that  can  enhance  your  organi¬ 
zation’s  security  strategy. 

You’ll  have  the  opportunity  to: 

•  Exchange  best  practices  in  balancing 
risk  and  responsibility 

•  Learn  from  your  peers  what  works  in 
the  real  world 

•  Explore  creating  a  culture  of  security 

•  Understand  the  current  thinking  on 
key  issues  and  trends 

•  Uncover  the  hidden  threats  of  legal 
liability 

•  Examine  emerging  technologies  that 
will  impact  your  enterprise 

Visit  us  at  www.csoperspectives.com 

or  call  800  366-0246. 


As  an  executive  responsible  for  securing  and 
protecting  an  organization’s  information 
assets  and  infrastructure,  you  are  constantly 
searching  for  how  to  better  define  your  mission 
and  responsibilities  within  the  enterprise. 

You  need  a  forum  in  which  you  can  address 
your  own  unique  set  of  business-level 
challenges— and  network  with  your  peers. 


The  Resource  for 
Security  Executives 


Technologies,  Tools  and 

Tactics 


Inbox  Patrol 

s  there  a  white  knight  solution  to  spam?  By  Simson  Garfinkel 


-MAIL  IS  THE  Internet’s 
killer  app.  Yet  the  future  of  e-mail  is  in  seri¬ 
ous  jeopardy  by  the  ever-increasing  torrent  of 
unwanted  e-mail  that  fills  our  inboxes  and 
clogs  our  mail  servers. 

The  statistics  are  frightening.  According  to 
Brightmail,  an  antispam  company,  40  per¬ 
cent  of  all  e-mail  is  now  spam,  and  nearly 
15  percent  of  all  spam  is  pornographic,  up 
from  5  percent  last  year.  Pornographic  spam 
is  an  affront  to  many  Internet  users,  creating 
a  hostile  workplace  and  opening  employers 
to  the  threat  of  litigation. 

Brightmail  operates  a  “probe  network” 
built  trom  old  e-mail  addresses  at  some  of  the 


world’s  largest  (and  smallest)  ISPs.  When¬ 
ever  lots  of  mailboxes  receive  messages  that 
are  similar,  the  messages  are  sent  to  Bright- 
mail’s  operations  center,  where  human  beings 
look  at  the  messages  and  determine  if  they 
are  spam.  In  November  2002,  Brightmail’s 
experts  uncovered  5.5  million  spam  “attacks,” 
each  consisting  of  between  several  thousand 
and  several  million  messages. 

Many  ISPs  have  strict  policies  against 
spamming.  If  spam  is  sent  out  from  your 
computer,  your  Internet  connection  can  be 
terminated  without  notice  or  other  warn¬ 
ings.  Imagine  my  astonishment  in  late 
November  when  I  discovered  that  more  than 


100,000  spam  messages  had  been  sent  to 
Hotmail  from  the  network  connection  in  my 
own  basement.  Here’s  what  happened. 

When  a  friend  of  mine  lost  his  Web¬ 
hosting  facility,  I  agreed  to  let  him  put  a  Win¬ 
dows  2000  e-commerce  site  in  my  basement, 
using  one  of  my  unused  IP  addresses.  One 
day,  he  removed  his  computer’s  host-based 
firewall  because  it  was  making  the  SQL 
Server  crash.  That  night,  a  piece  of  software 
on  his  computer  opened  up  a  connection  to 
Hotmail,  created  a  new  account,  and  started 
using  it  to  spam  Yahoo  and  AOL  subscribers 
with  advertisements  for  penis  enlargement. 
The  attack  continued  for  precisely  one  hour. 


ILLUSTRATION  BY  ANASTASIA  VASILAKIS 
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Convergence,  Continued 

An  ever-growing  flood  of  security  products  and  technologies  continues  to  connect  the  physical  and 
digital  worlds 


Threat  Dashboard 

Want  to  “reduce  enterprise  monitoring  to  a  single 
screen”?  Sounds  like  a  recipe  for  eye  strain,  but  that’s 
the  bold  claim  of  TowerView  Security,  a  software 
product  that  projects  data  from  various  security 
devices— intrusion  detection  systems,  firewalls,  sur¬ 
veillance  cameras,  access  control  systems,  you  name 
it— onto  a  three-dimensional  grid  in  real-time. 

When  any  significant  event  (as  defined  by  the 
user)  occurs  on  any  of  these  systems,  it  causes  a 
“spike”  to  appear  on  the  TowerView  screen.  Security 
monitoring  personnel  can  then  drill  down  into  the 
specific  event  to  get  more  details.  The  real-time 
aspect  is  a  critical  selling  point;  as  a  spokesman  says 
(attaching  the  customary  industry  scary  vibe),  “It’s 
the  difference  between  knowing  an  intruder  was  in 
your  home  and  knowing  one  is  in  your  home.” 

TowerView  has  been  shipping  to  beta  and  evalua¬ 
tion  customers  since  last  year,  although  its  maker 
(High  Tower  Software)  hasn’t  planned  the  official 
rollout  party  yet.  High  Tower  officials  claim  compa¬ 
nies  in  gaming,  retail  and  entertainment  among  early 
adopters.  More  information  is  available  at 
www.hightowersoftware.com.  -Derek  Slater 


then  shut  off.  It  repeated  with  a  new  Hotmail 
account  five  hours  later. 

My  friend  has  antivirus  software  running 
on  his  Windows  system,  but  neither  he  nor  it 
found  the  hostile  code.  In  the  end,  his  only 
recourse  was  to  reinstall  the  host-based  fire¬ 
wall  and  deal  with  the  occasional  crashes. 

ISPs  feel  compelled  to  take  such  drastic 
actions  with  spammers  because  legal 
approaches  have  largely  failed,  and  spam¬ 
mers  are  hurting  ISPs  where  it  counts— in 
the  checkbook.  Spammers  are  forcing  ISPs  to 
buy  more  computers  to  handle  the  e-mail 
load,  to  develop  and  deploy  technology  to 
shield  customers  from  spam,  and  to  hire 
more  employees  to  deal  with  the  complaints. 
And  if  ISPs  don’t  immediately  kill  the 
accounts  of  suspected  spammers,  they  risk 
being  put  on  antispam  blacklists. 

Yet  for  all  the  costs  of  spam,  I  am  equally 
concerned  about  the  rising  cost  of  antispam 
measures.  Like  antivirus  software,  antispam 
can  be  run  on  either  an  organization’s  e-mail 
server  or  on  the  desktop.  But  unlike  antivirus 
systems,  which  use  signatures  to  identify 
viruses  and  almost  never  have  false-positives, 
identifying  spam  is  invariably  an  error-prone 
process.  Good  antispam  systems  need  a  way 
to  handle  their  mistakes. 

Some  antispam  systems  tag  mail  that’s 
likely  to  be  spam  with  a  special  header.  Users 
can  then  set  up  filters  in  programs  such  as 
Eudora  or  Outlook  Express  to  automatically 
put  tagged  mail  into  a  special  mailbox,  where 
they  can  review  it  at  their  leisure.  Other  anti¬ 
spam  systems  simply  bounce  mail  that’s 
identified  as  “spam”  back  to  the  sender.  Real 
spam  invariably  has  a  fake  return  address, 
causing  it  to  be  dropped.  But  mail  that  is 
accidentally  misidentified  ends  up  back  at 
the  sender. 

Last  November,  the  Federal  Trade  Com¬ 
mission  started  subscribing  to  several  anti¬ 
spam  blacklists  and  using  them  to  block 
incoming  e-mail.  The  blacklists  aren’t  perfect 
because  spammers  invariably  use  the  same 
ISPs  as  people  who  don’t  send  spam.  The 
result:  Some  public  comments  that  were  sent 
to  the  FTC  were  blocked  and  not  delivered. 
“It  was  surprising  to  see  that  a  government 
agency  was  bouncing  my  mail,”  Sonia  Arri- 
son,  a  technology  policy  analyst  at  the  Pacific 
Research  Institute,  told  CNET  News.com. 
“Shouldn’t  they  all  be  open  to  the  public?” 


I  have  had  similar  problems.  I  send  out  a 
lot  of  e-mail  through  MIT’s  main  e-mail 
server— a  server  that  is  incorrectly  listed  in 
one  of  the  widely  used  blacklists.  Last  fall,  I 
replied  to  an  e-mail  that  I  had  received  from 
a  computer  security  company:  My  reply 
bounced  because  of  the  blacklist. 

Companies  subscribe  to  those  blacklists 
because  they  work.  But  blacklists  pose  yet 
another  problem:  By  definition,  when  you 
subscribe  to  a  blacklist,  you  are  allowing  an 


Ounshot  Liocator 

Proxity  Digital  Networks  went  a  step  further  than 
feeling  helpless  and  angry  as  most  people  did  last  fall 
when  sniper  gunfire  was  spreading  fear  around  Mary¬ 
land  and  the  United  States.  The  New  Orleans-based 
integrated  security  technology  company  created  a 
product  that  can  detect  gunshots  and  potentially  pin¬ 
point  their  origin. 

The  fruits  of  the  company’s  labor  is  a  product 
called  On  Alert,  which  reportedly  can  not  only 
detect  gunshots  but  determine  the  type  and  caliber 
of  weapon  fired  (using  a  database  of  the  “sound  sig¬ 
natures”  of  various  types  of  weapons  that  were 
recorded  at  a  firing  range)  and  then  use  satellite 
coordinates  and  triangulation  to  find  where  the  shot 
came  from.  That  information  can  be  transmitted 
immediately  to  a  command  center  (such  as  a  police 
station)  or  an  officer’s  PDA. 

Proxity  hopes  to  beta  test  the  system  with  law 
enforcement  agencies  in  early  2003  and  aims  to  roll 
out  the  first  generation  of  the  product  shortly  there¬ 
after.  “[On  Alert]  is  a  protection  device  that  reports 
an  event  that  should  be  reported  at  the  time  it  hap¬ 
pened  and  gives  the  location  so  the  proper  authorities 
can  respond  appropriately,”  says  Billy  Robinson, 
Proxity’s  CEO.  He  adds  that  On  Alert  is  easy  to  imple¬ 
ment  and  cost-efficient  to  maintain  because  it  is  wire¬ 
less  and  can  be  installed  on  existing  structures  such 
as  power  lines  and  telephone  poles.  On  Alert  is 
expected  to  cost  about  $20,000  to  deploy  per  square 
mile  (about  18  devices  are  needed  per  square  mile)  at 
a  monthly  cost  of  $100  to  maintain,  says  Robinson. 

For  more  information,  go  to  www.proxity.com. 

-Cheryl  Asselin 

outside  organization  to  decide  whose  mail 
you  can  receive,  and  whose  you  can’t.  This  is 
very  different  than  using  an  antivirus  system 
to  scan  your  e-mail  and  remove  offending 
copies  of  the  Klez  virus.  Some  ISPs  have  been 
blacklisted  because  they  host  websites 
belonging  to  spammers.  Depending  on  your 
point  of  view,  blacklists  are  either  grassroots 
Internet  activism  at  its  best  or  unaccountable 
vigilante  justice  at  its  worse. 

If  you  are  a  legitimate  business  that  sends 
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out  e-mail  to  your  customers,  step  lightly. 
Three  years  ago,  I  received  an  e-mail  coupon 
from  the  Gap.  I  couldn’t  remember  giving 
the  Gap  my  e-mail  address  so  I  called  the 
company,  accusing  it  of  spamming.  The 
spokesperson  at  the  Gap  told  me  that  I  had 
given  the  company  my  e-mail  address  at  a 
mall  in  Morristown,  N.J.  I  have  never  even 
been  to  Morristown,  so  I  thought  somebody 
at  that  store  must  have  bought  a  CD-ROM  of 
e-mail  addresses  and  entered  mine  into  their 
system. 

But  the  good  folks  at  the  Gap  were  pre¬ 
pared.  Every  card  that  had  been  collected  for 
its  e-mail  campaign  had  been  recorded  on 
microfilm.  The  Gap  faxed  me  a  card  that  had 
my  e-mail  address  written  in  my  very  own 
handwriting.  In  fact,  I  had  given  it  my  e-mail 
address  two  years  earlier.  The  cards  from  the 
Morristown  store  had  gotten  confused  with 
the  cards  from  the  store  where  I  live. 

Instead  of  using  blacklists,  some  antispam 
systems  bounce  mail  that  has  improperly  for¬ 
matted  mail  headers  or  suspicious  sender 
addresses.  As  a  result.  I’ve  had  e-mail  from 
my  pager  tagged  as  spam  and  either  bounced 


ine  joining  a  new  mailing  list  and  then  being 
forced  to  prove  to  600  people  that  you  really 
are  human.  That  approach  actually  increases 
the  amount  of  junk  mail  in  the  world— for 
every  spam  message,  a  queiy  reply  is  gener¬ 
ated  as  well.  And  woe  to  you  if  a  spammer 
uses  your  e-mail  address  as  its  sender 
address:  You’ll  be  bombarded  with  messages. 

A  still  bigger  problem  with  the  manda¬ 
tory  whitelist  is  that  spammers  can  defeat  it 
by  using  a  sender  address  that’s  likely  to  be  in 
your  whitelist— like  your  own  e-mail  address 
or  the  e-mail  address  of  somebody  else  at 
your  company. 

Jeff  Schiller,  MIT’s  network  manager  and 
head  of  the  Internet  Engineering  Task 
Force’s  steering  group’s  section  on  security, 
says  all  technical  solutions  to  spam  share  a 
common  problem:  Spam  software  may  not 
be  human,  but  spammers  are.  Every  time  an 
engineer  figures  out  a  way  to  stop  spam,  the 
spammers  think  up  some  new  side  step. 

As  for  me.  I’ve  been  able  to  cut  my  load  of 
spam  from  more  than  100  messages  a  day  to 
just  two  or  three,  thanks  to  SpamAssassin,  an 
etfective  Perl-based  spam  detector  that  runs 


Beyond  Anti-virus  Protection  -  seeufiQ 


For  all  your  e-mail  security  challenges  ' 

■  content  filtering 

■  image  scanning 

■  spam  blocking 

■  archiving 

■  enhanced  virus  protection 

■  encryption 

i 

■  legal  liability  ^ 

Protect  Your  Messaging  Platform  Today. 

Be  Prepared  for  Tomorrow. 


or  discarded.  That’s  because  my  pager’s 
e-mail  address  looks  like  the  sort  of  address 
that  a  spammer  would  use.  (It’s  a  10-digit 
number@skytel.com.) 

You’ve  probably  experienced  another  anti¬ 
spam  system  if  you  send  e-mail  to  any  large 
mailing  list.  If  you’re  not  on  somebody’s  list 
of  approved  senders,  their  antispam  program 
might  send  you  an  e-mail  asking  you  to  prove 
that  you’re  not  some  program  sending  out 
spam.  Sometimes  all  you  have  to  do  is  reply. 
Recently  I  had  to  go  to  a  webpage,  down¬ 
load  a  Java  applet  and  have  my  computer 
compute  an  “electronic  postage  stamp,” 
which  required  30  seconds  of  CPU  time. 

I  call  this  approach  the  “mandatory  white- 
list  with  adaptive  challenge  response.”  It 
works,  but  it’s  tremendously  annojdng.  Imag- 


on  Unix  and  Windows.  Instead  of  throwing 
the  spam  away,  I  drop  it  in  a  mailbox,  which 
I  scan  every  day  to  see  if  a  legitimate  message 
was  trapped  by  accident.  When  that  hap¬ 
pens,  I  move  the  message  back  into  my  inbox 
and  whitelist  the  address. 

But  SpamAssassin  is  just  another  techni¬ 
cal  measure,  and  ultimately,  it  will  be  evaded 
too.  I  don’t  see  any  long-term  antispam 
solutions  that  don’t  include  another  kind  of 
vigilante  justice— the  kind  that  involves  dark 
alleyways,  broken  fingers  and  big  men  mak¬ 
ing  scary  threats.  ■ 


Simson  Garfinkel,  CISSP,  is  a  technology  writer  based  in 
the  Boston  area.  He  is  also  CTO  of  Sandstorm  Enterprises, 
an  information  warfare  software  company.  He  can  be 
reached  at  machineshop  f^cxo.com. 
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A  Sordid  Tale 


First  reports  came  rolling  in  almost  instantly.  My 
coworker  had  kept  all  her  e-mails  from  the  extortionist 
and  had  not  turned  otf  her  system  since  the  files  were 
transferred  to  it,  so  the  IS  people  had  a  pretty  good  look 
at  logs  and  files  to  find  out  what  they  could  reconstruct 
and  get  some  ideas.  They  could  see  that  she  had,  indeed, 
gotten  the  e-mail  and  then  clicked  on  the  URL,  just  as  she 
said.  Logs  on  her  system  showed  an  FTP  file  transfer 
from  an  IP  address  in  Bulgaria.  In  all,  there  were  three 
files  that  were  named  the  same  as  the  three  we  found  on 
her  system.  They  also  found  some  text  and  GIF  files  about 
Greece.  The  system  keeps  20  days’  worth  of  file  caches  on 
what  users  have  viewed  on  the  Web,  and  if  you  know 
where  to  go  on  the  system,  you  can  see  all  of  it. 

The  team  copied  ever34hing  to  a  CD.  They  also  copied 
her  Internet  and  website  caches  to  CD  in  case  we  needed 
them  later.  They  made  a  complete  copy  of  her  hard  drive 
and  burned  that  to  a  DVD. 

“Looks  as  if  things  happened  just  as  she  said,”  the 
internal  information  security  manager  told  me. 

After  that,  we  checked  her 
e-mail  client  and  the  server  back¬ 
ups.  She  had  received  an  e-mail 
two  days  after  the  initial  message 
asking  for  money  and  a  credit  card 
number.  Luckily,  she  didn’t  give 
them  one. 

Here’s  the  interesting  part, 
though.  When  we  were  checking 
the  firewall  access  logs,  we  found 
that  the  same  IP  address  was 
active  27  times  that  day  to  other 
end  user  systems  on  our  network. 
Twenty-seven  times!  We  did  some 
checking  and  found  that  at  least 
15  other  employees  were  hit  with 
the  same  scam  on  the  same  day. 

Why  hadn’t  anyone  told  us?  I 
was  completely  aghast. 

That’s  when  I  learned  about  the 
paranoid  users.  Some  knew  it  was 
a  scam,  but  some  were  truly  afraid 
of  losing  their  job.  A  few  con¬ 
fessed  to  visiting  porn  sites  on 
their  computer  at  home  and 
thought  this  was  related.  Three 
employees  responded  to  the  threat  by  divulging  credit 
card  numbers  and  now  have  problems  with  charges  on 
their  card. 

We  told  them  what  was  going  on  and  had  them  call 
their  credit  card  companies  right  away. 

Then  we  put  some  blocks  in  our  e-mail  filters  to  kill  off 
any  more  e-mails  like  that  one.  We’ve  blocked  the  IP 


There's  a  dark  side  of  security  that  goes  beyond  hackers 
and  thieves  By  Anonymous 


HAVE  A  PARANOID  security  team.  Which  is  good. 

I  also  have  paranoid  users  who  don’t  trust  security  people.  Wliich  is  not  so  good. 

I  discovered  this  when  a  coworker  came  into  my  office,  red  in  the  face,  eyes  puffy 
and  obviously  greatly  upset. 

“What  on  earth  is  the  problem?”  I  asked  in  my  best  official-yet-caring  man¬ 
agement  voice. 

Between  sobs,  she  explained  that,  a  week  earlier,  she  had  gotten  an  e-mail 
about  the  upcoming  Summer  Olympics  in  Greece.  Since  her  nephew  was  hoping 
to  be  on  the  U.S.  track  team,  my  coworker 
was  hoping  to  learn  something  that  might 
help  him.  It  took  a  while  for  a  webpage 
to  open  up,  but  when  it  did,  she  read  all 
about  Greece  and  the  Olympics. 

Two  days  later,  she  got  an  e-mail  from 
an  unknown  address  asking  for  $50  or 
they  would  tell  her  management  that  she 
had  been  surfing  pornography  sites.  They 
even  said  they  could  prove  she  had  down¬ 
loaded  child  pornography! 

“They  even  told  me  which  directory  it 
was  in  on  my  computer,”  she  cried.  “And 
sure  enough,  when  I  looked  there,  I  found 
the  most  disgusting  pictures.” 

This  was  one  of  the  most  conservative 
people  I  know,  and  of  course  she  would 
never  do  such  a  thing.  She  had  even  asked 
me  once  if  it  was  OK  to  write  a  personal 
letter  on  her  desktop  and  print  it  off  on 
one  of  our  laser  printers. 

The  Olympic  site  was  immediately  sus¬ 
pect  to  her  because  it  had  taken  so  long  to 
load  the  pages.  “My  computer  is  never 
that  slow,”  she  said. 

“Did  you  pay  them?”  I  asked. 

“No,”  she  said.  “But  they  sent  another  e-mail  this  morning  reminding  me  I  had 
only  two  days  left  to  pay  them.  So  I  figured  I’d  better  talk  to  you  about  it.” 

Unfortunately  security  sometimes  involves  dealing  with  scumbags  who  prey  on 
others.  I  knew  immediately  that  this  was  an  extortion  attempt  and  calmed  her 
fears.  And,  as  I  said,  we  have  a  pretty  good  security  crew.  Wonderfully  paranoid. 
So  I  set  them  on  a  path  to  track  down  the  offending  organization  and  get  to  the 
bottom  of  what  was  going  on. 
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addresses  from  FTP  and  Web  access  in  case 
the  same  culprits  try  it  again.  I  think  that 
will  cover  the  bulk  of  it  for  now.  If  they 
change  addresses  or  e-mail  message  types, 
we’ll  need  to  do  the  same  procedure  again,  of 
course.  Filtering  is  a  very  on-or-off  type  of 
experience.  We  won’t  pick  up  any  changes  in 
the  attack  automatically,  and  so  we’ll  need  to 
see  a  sample  to  tune  the  filters  and  kill  off 
other  variants  of  the  message  as  well.  It’s  the 
same  problem  we  have  with  the  spam  filters. 
Spammers  have  an  easy  time  tweaking  mes¬ 
sages  to  get  around  any  filters  we  set  up. 

What  fun.  Security  gets  messy  when  it 
involves  employees’  privacy  and  protection 
from  things  like  this.  I  have  had  to  deal  with 
the  lovelorn  stalker  e-mail  and  the  vicious 
ex-spouse  mail  several  times. 

This  was  my  first  extortion  scam,  but  it 
turns  out,  it  wasn’t  the  first  that  my  com¬ 
pany  has  dealt  with. 

“We  have  this  down  to  a  science,”  my  secu¬ 
rity  team  told  me  proudly. 

“What  do  you  mean  by  that?”  I  asked. 
“Why  haven’t  I  known  about  the  others?” 

“They  happened  before  you  came  to  work 
here,”  they  explained.  But  they  happened. 

Apparently,  we’ve  had  get-rich-quick 
schemes,  extortion  by  people  claiming  to 
know  where  users  live  and  to  be  watching 
them,  and  one  targeted  parents  and  claiming 
that  their  kids  were  being  watched.  All  kinds 
of  awful  nonsense.  “We  usually  put  in  the 
blocks,  save  the  data  to  CD,  call  the  FBI  and 
send  them  copies  of  what  we  find,”  they  told 
me.  “It’s  like  a  fire  drill  for  us  now.  We  know 
what  to  do  automatically.” 

“How  often  does  something  happen?”  I 
wondered. 

“Oh,  probably  10  or  so  times  a  year....” 

It  seems  it  happens  a  lot  more  often  than 
most  people  think.  Most  companies  don’t 
have  an  internal  information  security  depart¬ 
ment  to  investigate  and  block  this  stuff,  and 
many  employees  never  say  anything  about 
it  for  fear  of  losing  their  job.  One  of  my  fed 
buddies  told  me  that  the  government  esti¬ 
mates  that  several  million  dollars  are  lost  by 
employees  every  year  to  this  sort  of  activity. 

I  arranged  for  a  company  meeting  to  let 
everyone  know  what  was  going  on  and  what 
we  were  doing  about  it.  At  the  end  of  the 
meeting,  I  asked  why  it  was  that  almost 


30  people  knew  and  yet  only  one  came  for¬ 
ward  to  tell  us. 

“We  were  afraid  of  losing  our  jobs,”  said 
one  employee. 

“Why  was  that?”  I  asked. 

“Because  the  former  CSO  had  several  peo¬ 
ple  fired  because  she  suspected— falsely— 
that  they  had  visited  porn  sites.  Some  of  us 
went  to  bat  for  them  and  told  her  they  didn’t 
do  it,  but  she  insisted  that  their  activities 
were  chronic  and  that  she  had  logs  off  the 
Web  filtering  system  that  proved  they  were 
chronic  offenders,”  the  employee  answered. 

Several  others  chimed  in:  “We  can’t  trust 
the  security  department  to  hear  our  side  of 
the  story,  so  it’s  better  to  keep  quiet.” 

Checking  back  with  the  security  teams,  I 
found  out  that  the  rumors  were  true  about 
my  predecessor  and  that  people  were  fired  for 
what  she  thought  was  porn-surfing  during 
office  hours  on  company  equipment. 

The  technology  staff  tried  to  explain  to 
her  that  what  she  thought  was  surfing  was 
really  those  pop-up  browser  ads  for  porn 
sites.  Some  legit  websites  allow  sponsored 
pop-ups  for  the  porn-ad  industry,  and  those 
erroneously  make  it  look  like  the  employee  is 
frequenting  porn  sites. 

Sometimes,  the  pop-ups  keep  coming  up 
and  that  means  that  their  activities  look 
repetitive  toward  a  porn  IP  address  that  they 
may  never  have  actually  visited  on  their  owm. 
But  the  former  CSO  wouldn’t  take  the  time 
to  listen,  so  some  employees  got  fired  for  vis¬ 
iting  porn  sites  they  never  actually  visited. 

Well,  at  least  I  now  know  why  I’ve  been 
treated  as  The  Great  Unwashed  by  some 
employees.  Many  security  tyrants  out  there 
don’t  consider  all  angles  to  a  potential  secu¬ 
rity  problem. 

At  least  for  now,  my  coworker’s  problem 
with  pornography  is  solved,  and  the  employ¬ 
ees  know  that  I  am  not  the  Ogre  of  Security 
Departments  Past.  Let’s  hope  that  will  stick 
with  them  for  a  while. 

Nevertheless,  I’ll  need  to  continue  to  edu¬ 
cate  employees  about  security  and  tr\'  to  fig¬ 
ure  out  how  to  get  them  to  trust  my  new 
security  regime.  ■ 

This  column  is  written  anonymously  by  a  real  CSO  at  a 
major  corporation.  For  reader  feedback,  e-mail  us  at 
csoundercovermxo.com. 
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35  billion  e-mails  will  be  sent  daily 
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Leadership  and 
Innovation  for 


Resourceful 

Enterprise 


Organizations  that  figure  out  how  to  generate 
greater  value  with  more  limited  IT  resources  thrive 
whatever  the  state  of  the  economy.  They  demon¬ 
strate  leadership,  innovation— and  resourcefulness. 
This  year,  CIO  magazine  honors  100  organizations 
that  have  successfully  done  more  with  less. 


The 


Paul  Saffo,  Director  of  the  Institute  for  the  Future, 
joins  us  again  as  Symposium  moderator.  We’ll  have 
presentations  from  some  of  this  year’s  Award  hon- 
orees,  and  special  guests. 


Join  us  for  great  networking.  Take  away  ideas  you 
can  use  to  make  your  organization  more  resourceful 


To  enroll,  call  800  355-0246  or  visit  our  website  at 
www.cio.com/conferences. 


This  year  s  CIO  100 
Awards  Ceremony  is 
proudly  underwritten  by 


The  best  place  to  be  a 
CIO  or  see  a  CIO  is  at  a 
CIO  magazine  event.” 

-B.  Lee  Jones,  CIO, 

DMC  Stratex  Networks 


An  excellent  opportunity 
to  learn  what  other  CIOs 
are  doing," 

Gary  Leek,  CTO,  Autobytel 


PeopleSoft. 


The  Resource  for 
Information  Executives 


Tinseltown  Trivia 


Lessons  from 


the  Silver  Screen 


IMAGINE  IF  CSOs  had  to  deal  with  the 
security  landscape  as  depicted  by  Holly¬ 
wood.  Corporate  security  systems  would  be 
riddled  with  easy-to-exploit  holes.  Sinister 
government  techies  would  joyfully  ruin 
credit  ratings  of  innocent  citizens.  And  most 
of  the  security  guards  at  front  desks  around 
the  world  would  suffer  narcolepsy.  OK,  so 
Hollywood  has  been  known  to  distort  reality 
a  bit  from  time  to  time.  Still,  movies  do  offer 
a  few  genuine  pearls  of  security  wisdom— 
you  just  have  to  know  where  to  look.  Here 
are  some  security  lessons  culled  from  the 
silver  screen.  If  you  don't  follow  these  best 
practices,  we  have  just  one  question:  Do  you 
feel  lucky,  punk?  Well. ..do  you? 
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Frankenstein,  1931 

Premise:  Mad  scientist  creates  monster  that 
terrorizes  Bavarian  countryside. 

Security  lesson:  Fire,  bad!  Firewall,  good! 
Nnnnnhgh! 

King  Kong,  1933 

Premise:  Beautiful  starlet  returns  from  Skull 
Island  with  giant  ape  that  wreaks  havoc  on 
New  York  City. 

Security  lesson:  800-pound  gorillas  are  a 
significant  threat  to  infrastructure. 

Citizen  Kane,  1941 

Premise:  American  newspaper  tycoon  rises, 
falls. 

Security  lesson:  There  Is  no  better  password 
than  Rosebud. 

James  Bond  movies,  1962, 1963, 
ad  infinitum 

Premise:  Dashing  good  looks,  martinis  and 
cool  gadgets  defeat  evil. 

Security  lesson:  Security  staffing  budget 
must  include  salary  for  Q. 

The  Godfather,  1972 

Premise:  Black  Hats  dig  loyalty,  honor,  fam¬ 
ily,  violence  and  ill-gotten  cash. 

Security  lesson:  Leave  the  virus.  Take  the 
cannoli. 


Star  Wars,  1977 

Premise:  Humans  already  had  highly 
advanced  technology  a  long  time  ago,  in  a 
galaxy  far,  far  away. 

Security  lesson:  Protect  key  intellectual 
property,  like  diagrams  that  show  how  to 
blow  up  your  Death  Star. 

WarGames,  1983 

Premise:  Ferris  Bueller  saves  world  from 
DefCon  1. 

Security  lesson:  If  your  computer  asks  to 
play  either  Tic-Tac-Toe  or  Global  Thermo¬ 
nuclear  War,  pick  option  A. 

Independence  Day,  1996 

Premise:  Close  encounter  of  the  worst  kind. 
Security  lesson:  Even  though  PCs  and  Macs 
can’t  communicate  here  on  Earth,  your  aver¬ 
age  virus-equipped  laptop  will  easily  inter¬ 
face  with,  and  incinerate,  enormous  alien 
spacecraft. 

Ocean’s  11, 2001 

Premise:  Dashing  good  looks  and  snappy 
dialogue  facilitate  big  casino  heist. 

Security  lesson:  The  blueprints,  schematics, 
systems  architecture  and  security  practices 
of  major  hotels  and  casinos  in  Las  Vegas  are 
generally  available  on  the  Web. 
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Workplace  Violence 
Information  Loss 

Employee  Backgrounds 

Surveillance 
Access  Control 


Risk  Liability 
Bio-Terrorism 


Unspecified  Threats 


ARE  YOU  STILL  RELYING  ON  TRADITIONAL  SECURITY? 

The  world  has  changed.  As  security  professionals,  we  now  have  to  be  prepared  for  anything,  including  the  unspecified  and  the 
unthinkable.  It’s  an  enormous  responsibility,  but  one  that  doesn’t  have  to  be  yours  alone.  We  understand  how  your  job  is  more 
important  now  than  ever  before,  and  we  want  to  help.  Let  us  get  to  know  your  business  and  your  concerns.  Then  we’ll  draw  from 
the  broadest  range  of  products  and  experience  available,  including  the  latest  in  digtal  video  and  access  control.  All  to  create  a^  solution 
that  meets  the  unique  security  needs  of  your  company.  Getting  in  touch  is  easy.  Just  call  us  at  1-  877-258-6424  or  visit  adt.com. 

And  when  everybody  looks  to  you  for  peace  of  mind,  look  to  us.  ADT.  Always  there.  i 
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Protect  your  business  with  ©Trust 
For  more  information,  visit 

ca.com/etrust/antivirus 
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